Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uVpytXGpQz.exe

Overview

General Information

Sample name:uVpytXGpQz.exe
renamed because original name is a hash value
Original sample name:539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe
Analysis ID:1588380
MD5:022dbaa1df24d488b03ecb058a521613
SHA1:9f12948c741b6b27cce58d4cd804a2f988feddf2
SHA256:539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Snake Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • uVpytXGpQz.exe (PID: 7948 cmdline: "C:\Users\user\Desktop\uVpytXGpQz.exe" MD5: 022DBAA1DF24D488B03ECB058A521613)
    • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • EmbeddedExe1.exe (PID: 8144 cmdline: "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" MD5: 47310E2D76477F79641F8703027A60B0)
      • caulds.exe (PID: 7396 cmdline: "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" MD5: 47310E2D76477F79641F8703027A60B0)
        • RegSvcs.exe (PID: 1824 cmdline: "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
          • cmd.exe (PID: 1472 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • choice.exe (PID: 1384 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
    • EmbeddedExe2.exe (PID: 8164 cmdline: "C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe" MD5: 5EFEF6CC9CD24BAEEED71C1107FC32DF)
  • wscript.exe (PID: 6024 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • caulds.exe (PID: 7480 cmdline: "C:\Users\user\AppData\Local\poufs\caulds.exe" MD5: 47310E2D76477F79641F8703027A60B0)
      • RegSvcs.exe (PID: 8128 cmdline: "C:\Users\user\AppData\Local\poufs\caulds.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
        • cmd.exe (PID: 8080 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • choice.exe (PID: 7476 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot1628099890:AAEoyPqXzUZV0NK78yRGbDMLJqRw0vcASbg/sendMessage?chat_id=1217600190", "Token": "1628099890:AAEoyPqXzUZV0NK78yRGbDMLJqRw0vcASbg", "Chat_id": "1217600190", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x14954:$a1: get_encryptedPassword
      • 0x14c40:$a2: get_encryptedUsername
      • 0x14760:$a3: get_timePasswordChanged
      • 0x1485b:$a4: get_passwordField
      • 0x1496a:$a5: set_encryptedPassword
      • 0x15ff8:$a7: get_logins
      • 0x15f5b:$a10: KeyLoggerEventArgs
      • 0x15bc6:$a11: KeyLoggerEventArgsEventHandler
      0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x19970:$x1: $%SMTPDV$
      • 0x18354:$x2: $#TheHashHere%&
      • 0x19918:$x3: %FTPDV$
      • 0x182f4:$x4: $%TelegramDv$
      • 0x15bc6:$x5: KeyLoggerEventArgs
      • 0x15f5b:$x5: KeyLoggerEventArgs
      • 0x1993c:$m2: Clipboard Logs ID
      • 0x19b7a:$m2: Screenshot Logs ID
      • 0x19c8a:$m2: keystroke Logs ID
      • 0x19f64:$m3: SnakePW
      • 0x19b52:$m4: \SnakeKeylogger\
      0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 28 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        10.2.caulds.exe.1360000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          10.2.caulds.exe.1360000.1.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            10.2.caulds.exe.1360000.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12d54:$a1: get_encryptedPassword
            • 0x13040:$a2: get_encryptedUsername
            • 0x12b60:$a3: get_timePasswordChanged
            • 0x12c5b:$a4: get_passwordField
            • 0x12d6a:$a5: set_encryptedPassword
            • 0x143f8:$a7: get_logins
            • 0x1435b:$a10: KeyLoggerEventArgs
            • 0x13fc6:$a11: KeyLoggerEventArgsEventHandler
            10.2.caulds.exe.1360000.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a738:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x1996a:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19d9d:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1addc:$a5: \Kometa\User Data\Default\Login Data
            10.2.caulds.exe.1360000.1.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x13944:$s1: UnHook
            • 0x1394b:$s2: SetHook
            • 0x13953:$s3: CallNextHook
            • 0x13960:$s4: _hook
            Click to see the 28 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs" , ProcessId: 6024, ProcessName: wscript.exe
            Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" , ParentImage: C:\Users\user\AppData\Local\poufs\caulds.exe, ParentProcessId: 7396, ParentProcessName: caulds.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" , ProcessId: 1824, ProcessName: RegSvcs.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs" , ProcessId: 6024, ProcessName: wscript.exe

            Data Obfuscation

            barindex
            Sigma detected: Drops script at startup location
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\poufs\caulds.exe, ProcessId: 7396, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T01:37:29.085992+010028033053Unknown Traffic192.168.2.1049766104.21.64.1443TCP
            2025-01-11T01:37:30.571070+010028033053Unknown Traffic192.168.2.1049777104.21.64.1443TCP
            2025-01-11T01:37:32.138874+010028033053Unknown Traffic192.168.2.1049789104.21.64.1443TCP
            2025-01-11T01:37:33.625908+010028033053Unknown Traffic192.168.2.1049797104.21.64.1443TCP
            2025-01-11T01:37:35.068708+010028033053Unknown Traffic192.168.2.1049811104.21.64.1443TCP
            2025-01-11T01:37:36.589745+010028033053Unknown Traffic192.168.2.1049822104.21.64.1443TCP
            2025-01-11T01:37:43.730191+010028033053Unknown Traffic192.168.2.1049864104.21.64.1443TCP
            2025-01-11T01:37:45.546352+010028033053Unknown Traffic192.168.2.1049874104.21.64.1443TCP
            2025-01-11T01:37:50.879452+010028033053Unknown Traffic192.168.2.1049907104.21.64.1443TCP
            2025-01-11T01:37:53.956541+010028033053Unknown Traffic192.168.2.1049931104.21.64.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T01:37:27.400991+010028032742Potentially Bad Traffic192.168.2.1049750132.226.8.16980TCP
            2025-01-11T01:37:28.521750+010028032742Potentially Bad Traffic192.168.2.1049750132.226.8.16980TCP
            2025-01-11T01:37:29.961947+010028032742Potentially Bad Traffic192.168.2.1049771132.226.8.16980TCP
            2025-01-11T01:37:41.601938+010028032742Potentially Bad Traffic192.168.2.1049847132.226.8.16980TCP
            2025-01-11T01:37:43.117648+010028032742Potentially Bad Traffic192.168.2.1049847132.226.8.16980TCP
            2025-01-11T01:37:44.945694+010028032742Potentially Bad Traffic192.168.2.1049868132.226.8.16980TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: uVpytXGpQz.exeAvira: detected
            Found malware configuration
            Source: 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot1628099890:AAEoyPqXzUZV0NK78yRGbDMLJqRw0vcASbg/sendMessage?chat_id=1217600190", "Token": "1628099890:AAEoyPqXzUZV0NK78yRGbDMLJqRw0vcASbg", "Chat_id": "1217600190", "Version": "5.1"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeReversingLabs: Detection: 63%
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeVirustotal: Detection: 69%Perma Link
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeReversingLabs: Detection: 63%
            Multi AV Scanner detection for submitted file
            Source: uVpytXGpQz.exeVirustotal: Detection: 71%Perma Link
            Source: uVpytXGpQz.exeReversingLabs: Detection: 68%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: uVpytXGpQz.exeJoe Sandbox ML: detected

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: uVpytXGpQz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.10:49759 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.10:49858 version: TLS 1.0
            Source: uVpytXGpQz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: caulds.exe, 0000000A.00000003.1365281073.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, caulds.exe, 0000000A.00000003.1366935338.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, caulds.exe, 0000000E.00000003.1510471767.0000000004240000.00000004.00001000.00020000.00000000.sdmp, caulds.exe, 0000000E.00000003.1510798124.00000000040A0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: caulds.exe, 0000000A.00000003.1365281073.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, caulds.exe, 0000000A.00000003.1366935338.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, caulds.exe, 0000000E.00000003.1510471767.0000000004240000.00000004.00001000.00020000.00000000.sdmp, caulds.exe, 0000000E.00000003.1510798124.00000000040A0000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010445A GetFileAttributesW,FindFirstFileW,FindClose,8_2_0010445A
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010C6D1 FindFirstFileW,FindClose,8_2_0010C6D1
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,8_2_0010C75C
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_0010EF95
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_0010F0F2
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_0010F3F3
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_001037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_001037EF
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_00103B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00103B12
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_0010BCBC
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF26B00 GetProcAddress,FindFirstFileA,CloseHandle,9_2_00007FF68EF26B00
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF00520 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,9_2_00007FF68EF00520
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF32190 FindFirstFileA,FindClose,FindWindowA,9_2_00007FF68EF32190
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF33F40 FindFirstFileA,FindClose,9_2_00007FF68EF33F40
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058445A GetFileAttributesW,FindFirstFileW,FindClose,10_2_0058445A
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058C6D1 FindFirstFileW,FindClose,10_2_0058C6D1
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_0058C75C
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0058EF95
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0058F0F2
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0058F3F3
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_005837EF
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00583B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00583B12
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0058BCBC
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior

            Networking

            barindex
            Yara detected Generic Downloader
            Source: Yara matchFile source: 14.2.caulds.exe.3bc0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.caulds.exe.1360000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
            Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
            Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49847 -> 132.226.8.169:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49868 -> 132.226.8.169:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49771 -> 132.226.8.169:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49750 -> 132.226.8.169:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49766 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49777 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49789 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49822 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49874 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49811 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49864 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49907 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49797 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49931 -> 104.21.64.1:443
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.10:49759 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.10:49858 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_001122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,8_2_001122EE
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: RegSvcs.exe, 0000000B.00000002.1502078806.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A09000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002AD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AD3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A09000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.00000000029FD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: RegSvcs.exe, 0000000B.00000002.1500953164.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: caulds.exe, 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, caulds.exe, 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: uVpytXGpQz.exe, EmbeddedExe2.exe.5.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: uVpytXGpQz.exe, EmbeddedExe2.exe.5.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: uVpytXGpQz.exe, EmbeddedExe2.exe.5.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
            Source: uVpytXGpQz.exe, EmbeddedExe2.exe.5.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
            Source: uVpytXGpQz.exe, EmbeddedExe2.exe.5.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: uVpytXGpQz.exe, EmbeddedExe2.exe.5.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
            Source: uVpytXGpQz.exe, EmbeddedExe2.exe.5.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
            Source: uVpytXGpQz.exe, EmbeddedExe2.exe.5.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: uVpytXGpQz.exe, EmbeddedExe2.exe.5.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: uVpytXGpQz.exe, EmbeddedExe2.exe.5.drString found in binary or memory: http://ocsp.sectigo.com0
            Source: RegSvcs.exe, 0000000B.00000002.1502078806.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: RegSvcs.exe, 0000000B.00000002.1502078806.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A09000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: caulds.exe, 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, caulds.exe, 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: RegSvcs.exe, 00000012.00000002.1651176289.0000000002AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: uVpytXGpQz.exe, EmbeddedExe2.exe.5.drString found in binary or memory: https://sectigo.com/CPS0
            Source: uVpytXGpQz.exe, EmbeddedExe2.exe.5.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
            Source: uVpytXGpQz.exe, EmbeddedExe2.exe.5.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
            Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
            Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
            Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
            Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_00114164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,8_2_00114164
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_00114164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,8_2_00114164
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED7060 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree,SendMessageA,9_2_00007FF68EED7060
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED85D0 WideCharToMultiByte,GlobalAlloc,GlobalAlloc,GlobalAlloc,GlobalLock,GlobalLock,WideCharToMultiByte,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,GlobalFree,WideCharToMultiByte,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,GlobalUnlock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,SetClipboardData,SetClipboardData,RegisterClipboardFormatA,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree,GlobalFree,GlobalFree,9_2_00007FF68EED85D0
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00594164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_00594164
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_00113F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,8_2_00113F66
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,8_2_0010001C
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,8_2_0012CABC
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005ACABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_005ACABC

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 10.2.caulds.exe.1360000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 10.2.caulds.exe.1360000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 10.2.caulds.exe.1360000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 10.2.caulds.exe.1360000.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 14.2.caulds.exe.3bc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 14.2.caulds.exe.3bc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 14.2.caulds.exe.3bc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 14.2.caulds.exe.3bc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 14.2.caulds.exe.3bc0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 14.2.caulds.exe.3bc0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 14.2.caulds.exe.3bc0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 14.2.caulds.exe.3bc0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 10.2.caulds.exe.1360000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 10.2.caulds.exe.1360000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 10.2.caulds.exe.1360000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 10.2.caulds.exe.1360000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: caulds.exe PID: 7396, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: caulds.exe PID: 7396, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: RegSvcs.exe PID: 1824, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: RegSvcs.exe PID: 1824, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: caulds.exe PID: 7480, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: caulds.exe PID: 7480, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: This is a third-party compiled AutoIt script.8_2_000A3B3A
            Source: EmbeddedExe1.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: EmbeddedExe1.exe, 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2b9c9c5c-6
            Source: EmbeddedExe1.exe, 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e91fd963-2
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: This is a third-party compiled AutoIt script.10_2_00523B3A
            Source: caulds.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: caulds.exe, 0000000A.00000002.1369094437.00000000005D4000.00000040.00000001.01000000.00000009.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_cac089a8-2
            Source: caulds.exe, 0000000A.00000002.1369094437.00000000005D4000.00000040.00000001.01000000.00000009.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d36b6742-e
            Source: caulds.exe, 0000000E.00000002.1511434241.00000000005D4000.00000040.00000001.01000000.00000009.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_824d0294-3
            Source: caulds.exe, 0000000E.00000002.1511434241.00000000005D4000.00000040.00000001.01000000.00000009.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7b73c95c-6
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,8_2_000A3633
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,8_2_0012C1AC
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,8_2_0012C498
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012C57D SendMessageW,NtdllDialogWndProc_W,8_2_0012C57D
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,8_2_0012C5FE
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012C860 NtdllDialogWndProc_W,8_2_0012C860
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012C88F NtdllDialogWndProc_W,8_2_0012C88F
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012C8BE NtdllDialogWndProc_W,8_2_0012C8BE
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012C909 NtdllDialogWndProc_W,8_2_0012C909
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012C93E ClientToScreen,NtdllDialogWndProc_W,8_2_0012C93E
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012CA7C GetWindowLongW,NtdllDialogWndProc_W,8_2_0012CA7C
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,8_2_0012CABC
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74D2C8D0,NtdllDialogWndProc_W,8_2_000A1287
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,8_2_000A1290
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012D3B8 NtdllDialogWndProc_W,8_2_0012D3B8
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,8_2_0012D43E
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A167D NtdllDialogWndProc_W,8_2_000A167D
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A16B5 NtdllDialogWndProc_W,8_2_000A16B5
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A16DE GetParent,NtdllDialogWndProc_W,8_2_000A16DE
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012D78C NtdllDialogWndProc_W,8_2_0012D78C
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A189B NtdllDialogWndProc_W,8_2_000A189B
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012BC5D NtdllDialogWndProc_W,CallWindowProcW,8_2_0012BC5D
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012BF30 NtdllDialogWndProc_W,8_2_0012BF30
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0012BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,8_2_0012BF8C
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00523633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,10_2_00523633
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005AC1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,10_2_005AC1AC
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005AC498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,10_2_005AC498
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005AC57D SendMessageW,NtdllDialogWndProc_W,10_2_005AC57D
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005AC5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,10_2_005AC5FE
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005AC860 NtdllDialogWndProc_W,10_2_005AC860
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005AC88F NtdllDialogWndProc_W,10_2_005AC88F
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005AC8BE NtdllDialogWndProc_W,10_2_005AC8BE
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005AC909 NtdllDialogWndProc_W,10_2_005AC909
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005AC93E ClientToScreen,NtdllDialogWndProc_W,10_2_005AC93E
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005ACA7C GetWindowLongW,NtdllDialogWndProc_W,10_2_005ACA7C
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005ACABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_005ACABC
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00521290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,10_2_00521290
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00521287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74D2C8D0,NtdllDialogWndProc_W,10_2_00521287
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005AD3B8 NtdllDialogWndProc_W,10_2_005AD3B8
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005AD43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,10_2_005AD43E
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0052167D NtdllDialogWndProc_W,10_2_0052167D
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005216DE GetParent,NtdllDialogWndProc_W,10_2_005216DE
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005216B5 NtdllDialogWndProc_W,10_2_005216B5
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005AD78C NtdllDialogWndProc_W,10_2_005AD78C
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0052189B NtdllDialogWndProc_W,10_2_0052189B
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005ABC5D NtdllDialogWndProc_W,CallWindowProcW,10_2_005ABC5D
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005ABF30 NtdllDialogWndProc_W,10_2_005ABF30
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005ABF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,10_2_005ABF8C
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,8_2_0010A1EF
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000F85B1 GetCurrentProcess,OpenProcessToken,CloseHandle,CreateProcessWithLogonW,8_2_000F85B1
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_001051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,8_2_001051BD
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,10_2_005851BD
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000AE6A08_2_000AE6A0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000CD9758_2_000CD975
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000AFCE08_2_000AFCE0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000C21C58_2_000C21C5
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000D62D28_2_000D62D2
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_001203DA8_2_001203DA
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000D242E8_2_000D242E
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000C25FA8_2_000C25FA
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000FE6168_2_000FE616
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000B66E18_2_000B66E1
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000D878F8_2_000D878F
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000B88088_2_000B8808
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_001208578_2_00120857
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000D68448_2_000D6844
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_001088898_2_00108889
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000CCB218_2_000CCB21
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000D6DB68_2_000D6DB6
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000B6F9E8_2_000B6F9E
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000B30308_2_000B3030
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000C31878_2_000C3187
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000CF1D98_2_000CF1D9
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A12878_2_000A1287
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000C14848_2_000C1484
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000B55208_2_000B5520
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000C76968_2_000C7696
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000B57608_2_000B5760
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000C19788_2_000C1978
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000D9AB58_2_000D9AB5
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000C1D908_2_000C1D90
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000CBDA68_2_000CBDA6
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_00127DDB8_2_00127DDB
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000ADF008_2_000ADF00
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000B3FE08_2_000B3FE0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_012B6A288_2_012B6A28
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEF6F7C9_2_00007FF68EEF6F7C
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF0AEF49_2_00007FF68EF0AEF4
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEF2C609_2_00007FF68EEF2C60
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF14B009_2_00007FF68EF14B00
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEDCB249_2_00007FF68EEDCB24
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEF65F09_2_00007FF68EEF65F0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF1BD509_2_00007FF68EF1BD50
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED53E39_2_00007FF68EED53E3
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF070109_2_00007FF68EF07010
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF491209_2_00007FF68EF49120
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF16F909_2_00007FF68EF16F90
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF46FE09_2_00007FF68EF46FE0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEFF0609_2_00007FF68EEFF060
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF2B0209_2_00007FF68EF2B020
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF92E809_2_00007FF68EF92E80
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEECDA09_2_00007FF68EEECDA0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EFAAEC89_2_00007FF68EFAAEC8
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEDED809_2_00007FF68EEDED80
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF50F209_2_00007FF68EF50F20
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF4EE109_2_00007FF68EF4EE10
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF28E209_2_00007FF68EF28E20
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF90E189_2_00007FF68EF90E18
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEF4C309_2_00007FF68EEF4C30
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF96CA49_2_00007FF68EF96CA4
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF8EB949_2_00007FF68EF8EB94
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF90C309_2_00007FF68EF90C30
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF90A489_2_00007FF68EF90A48
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF22A809_2_00007FF68EF22A80
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF52B109_2_00007FF68EF52B10
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEE0B009_2_00007FF68EEE0B00
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEFAAF09_2_00007FF68EEFAAF0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF4A9C09_2_00007FF68EF4A9C0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEE4A809_2_00007FF68EEE4A80
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF16A009_2_00007FF68EF16A00
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEF882D9_2_00007FF68EEF882D
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF9085C9_2_00007FF68EF9085C
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF987489_2_00007FF68EF98748
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF2E7D09_2_00007FF68EF2E7D0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF5A8309_2_00007FF68EF5A830
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF906709_2_00007FF68EF90670
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EFB86789_2_00007FF68EFB8678
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED85D09_2_00007FF68EED85D0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF4E5409_2_00007FF68EF4E540
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEE27009_2_00007FF68EEE2700
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF465909_2_00007FF68EF46590
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEEA6809_2_00007FF68EEEA680
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF8E5FC9_2_00007FF68EF8E5FC
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF904849_2_00007FF68EF90484
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEE63749_2_00007FF68EEE6374
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF5E3A09_2_00007FF68EF5E3A0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEFA4409_2_00007FF68EEFA440
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF961449_2_00007FF68EF96144
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF4E1709_2_00007FF68EF4E170
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEDA0329_2_00007FF68EEDA032
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEE40309_2_00007FF68EEE4030
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEDA01E9_2_00007FF68EEDA01E
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EFB60D49_2_00007FF68EFB60D4
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED60809_2_00007FF68EED6080
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEDA03E9_2_00007FF68EEDA03E
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF4FE609_2_00007FF68EF4FE60
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED9E009_2_00007FF68EED9E00
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF0FE909_2_00007FF68EF0FE90
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF23EA09_2_00007FF68EF23EA0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED7D509_2_00007FF68EED7D50
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED1EED9_2_00007FF68EED1EED
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EFADDF89_2_00007FF68EFADDF8
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF4DE209_2_00007FF68EF4DE20
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEF3C209_2_00007FF68EEF3C20
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF51CB09_2_00007FF68EF51CB0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF9BB909_2_00007FF68EF9BB90
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF17C309_2_00007FF68EF17C30
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF0DA709_2_00007FF68EF0DA70
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EFB1A949_2_00007FF68EFB1A94
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEDB9B09_2_00007FF68EEDB9B0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF4BB209_2_00007FF68EF4BB20
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EFAF9649_2_00007FF68EFAF964
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF8F9DC9_2_00007FF68EF8F9DC
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEDD8109_2_00007FF68EEDD810
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF9387C9_2_00007FF68EF9387C
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EFA58889_2_00007FF68EFA5888
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF158D09_2_00007FF68EF158D0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF017809_2_00007FF68EF01780
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED99209_2_00007FF68EED9920
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEE58909_2_00007FF68EEE5890
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF9F8049_2_00007FF68EF9F804
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF176A09_2_00007FF68EF176A0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEF15609_2_00007FF68EEF1560
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF0F5509_2_00007FF68EF0F550
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEF37009_2_00007FF68EEF3700
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF515A09_2_00007FF68EF515A0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEE36509_2_00007FF68EEE3650
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEF15609_2_00007FF68EEF1560
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED14269_2_00007FF68EED1426
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED74109_2_00007FF68EED7410
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF494809_2_00007FF68EF49480
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EFA54909_2_00007FF68EFA5490
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED93C09_2_00007FF68EED93C0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF933849_2_00007FF68EF93384
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEE4A809_2_00007FF68EEE4A80
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF5D4109_2_00007FF68EF5D410
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF194309_2_00007FF68EF19430
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF4D4309_2_00007FF68EF4D430
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF0F2609_2_00007FF68EF0F260
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED11BB9_2_00007FF68EED11BB
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF4D2D09_2_00007FF68EF4D2D0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF232EC9_2_00007FF68EF232EC
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED11609_2_00007FF68EED1160
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEE13309_2_00007FF68EEE1330
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF0D1509_2_00007FF68EF0D150
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF053109_2_00007FF68EF05310
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEDD2D09_2_00007FF68EEDD2D0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EFA51A89_2_00007FF68EFA51A8
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EEDF2809_2_00007FF68EEDF280
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF4F2309_2_00007FF68EF4F230
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0052E6A010_2_0052E6A0
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0054D97510_2_0054D975
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0052FCE010_2_0052FCE0
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005421C510_2_005421C5
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005562D210_2_005562D2
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005A03DA10_2_005A03DA
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0055242E10_2_0055242E
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005425FA10_2_005425FA
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0057E61610_2_0057E616
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005366E110_2_005366E1
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0055878F10_2_0055878F
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005A085710_2_005A0857
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0055684410_2_00556844
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0053880810_2_00538808
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058888910_2_00588889
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0054CB2110_2_0054CB21
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00556DB610_2_00556DB6
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00536F9E10_2_00536F9E
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0053303010_2_00533030
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0054F1D910_2_0054F1D9
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0054318710_2_00543187
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0052128710_2_00521287
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0054148410_2_00541484
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0053552010_2_00535520
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0054769610_2_00547696
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0053576010_2_00535760
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0054197810_2_00541978
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00559AB510_2_00559AB5
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005A7DDB10_2_005A7DDB
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00541D9010_2_00541D90
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0054BDA610_2_0054BDA6
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0052DF0010_2_0052DF00
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00533FE010_2_00533FE0
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_013D792010_2_013D7920
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe E61B8F44AB92CF0F9CB1101347967D31E1839979142A4114A7DD02AA237BA021
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 000A7DE1 appears 35 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 000C8900 appears 42 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: String function: 000C0AE3 appears 70 times
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: String function: 00548900 appears 42 times
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: String function: 00540AE3 appears 70 times
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: String function: 00527DE1 appears 36 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: String function: 00007FF68EFA2CE8 appears 33 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: String function: 00007FF68EF12890 appears 137 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: String function: 00007FF68EF9FC60 appears 60 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: String function: 00007FF68EF26360 appears 62 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: String function: 00007FF68EF1A3A0 appears 38 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: String function: 00007FF68EF0CD00 appears 40 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: String function: 00007FF68EF4A5D0 appears 78 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: String function: 00007FF68EF25360 appears 66 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: String function: 00007FF68EF9B8AC appears 457 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: String function: 00007FF68EEFC110 appears 48 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: String function: 00007FF68EF0CC30 appears 150 times
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: String function: 00007FF68EF4BFC0 appears 36 times
            Source: EmbeddedExe1.exe.5.drStatic PE information: Resource name: RT_MENU type: DOS executable (COM)
            Source: caulds.exe.8.drStatic PE information: Resource name: RT_MENU type: DOS executable (COM)
            Source: uVpytXGpQz.exe, 00000005.00000002.1288133549.000000001C190000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs uVpytXGpQz.exe
            Source: uVpytXGpQz.exe, 00000005.00000000.1274361864.0000000000EC2000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamePURCHASE DOCUMENTS.exe4 vs uVpytXGpQz.exe
            Source: uVpytXGpQz.exe, 00000005.00000002.1287330059.000000000312C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePuTTYd" vs uVpytXGpQz.exe
            Source: uVpytXGpQz.exe, 00000005.00000000.1274134430.0000000000CA2000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamePuTTYd" vs uVpytXGpQz.exe
            Source: uVpytXGpQz.exeBinary or memory string: OriginalFilenamePuTTYd" vs uVpytXGpQz.exe
            Source: uVpytXGpQz.exeBinary or memory string: OriginalFilenamePURCHASE DOCUMENTS.exe4 vs uVpytXGpQz.exe
            Source: uVpytXGpQz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 10.2.caulds.exe.1360000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 10.2.caulds.exe.1360000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 10.2.caulds.exe.1360000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 10.2.caulds.exe.1360000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 14.2.caulds.exe.3bc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 14.2.caulds.exe.3bc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 14.2.caulds.exe.3bc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 14.2.caulds.exe.3bc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 14.2.caulds.exe.3bc0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 14.2.caulds.exe.3bc0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 14.2.caulds.exe.3bc0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 14.2.caulds.exe.3bc0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 10.2.caulds.exe.1360000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 10.2.caulds.exe.1360000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 10.2.caulds.exe.1360000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 10.2.caulds.exe.1360000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: caulds.exe PID: 7396, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: caulds.exe PID: 7396, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: RegSvcs.exe PID: 1824, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: RegSvcs.exe PID: 1824, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: caulds.exe PID: 7480, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: caulds.exe PID: 7480, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@25/10@2/2
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010A06A GetLastError,FormatMessageW,8_2_0010A06A
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000F81CB AdjustTokenPrivileges,CloseHandle,8_2_000F81CB
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000F87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,8_2_000F87E1
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005781CB AdjustTokenPrivileges,CloseHandle,10_2_005781CB
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_005787E1
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,8_2_0010B333
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0011EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,8_2_0011EE0D
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010C397 CoInitialize,CoCreateInstance,CoUninitialize,8_2_0010C397
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,8_2_000A4E89
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uVpytXGpQz.exe.logJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8032:120:WilError_03
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeFile created: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs"
            Source: uVpytXGpQz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: uVpytXGpQz.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.55%
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: uVpytXGpQz.exeVirustotal: Detection: 71%
            Source: uVpytXGpQz.exeReversingLabs: Detection: 68%
            Source: EmbeddedExe2.exeString found in binary or memory: config-address-family
            Source: EmbeddedExe2.exeString found in binary or memory: config-ssh-portfwd-address-family
            Source: EmbeddedExe2.exeString found in binary or memory: config-serial-stopbits
            Source: uVpytXGpQz.exeString found in binary or memory: config-address-family
            Source: uVpytXGpQz.exeString found in binary or memory: config-ssh-portfwd-address-family
            Source: uVpytXGpQz.exeString found in binary or memory: [200~}||{zconfig-proxyUnable to parse auth header from HTTP proxyConnection/Proxysshttypermit-ptyconfig-ssh-ptyServer refused to allocate ptyAllocated ptyReset scrollback on display activityidentityconfig-ssh-xauthorityPublic key of certification authoritySelect public key file of certification authorityconfig-serial-parityConfiguring %s paritySerialParityFontQualityValidityAddDllDirectoryOut of memoryCryptProtectMemoryUnable to load any WinSock libraryprimaryconfig-selection-autocopyMouseAutocopyconfig-rtfcopyWindow/Selection/Copy&CopyFlush log file frequentlyApplyReceived invalid elliptic curve point in ECDH replyReceived invalid elliptic curve point in GSSAPI ECDH replyconfig-altonlyKey file contains public key onlyUse font in OEM mode onlyAltOnlyForwarded port opened successfullyDisconnect if authentication succeeds triviallyconfig-address-familyconfig-ssh-portfwd-address-familyNetwork error: Address family not supported by protocol familyAddressFamilyForbid resizing completelyHandles SSH-2 key re-exchange badlyValid hosts this key is trusted to certifyModifyconfig-ssh-privkey-hostkeyconfig-telnetkeyconfig-ssh-kex-rekeyconfig-ssh-bug-rekeyGssapiRekeypublickeypubkeycert_ca_keyerrors-cant-load-keyputty-private-key-file-mac-keycross-certifying new host keyNoninteractive SSH proxy cannot confirm host keyNoninteractive SSH proxy cannot confirm weak cached host keyNo validity expression configured for this keyServer refused our keyuser authentication keyEncrypted session keyssh.com SSH-2 private keynot a PuTTY SSH-2 private keynot a public key or a PuTTY SSH-2 private keySSH-1 private keyAltGr acts as Compose keyunable to identify algorithm of base keyThe Backspace keyAdd keyFull text of host's public keyOffered public keySSH-1 public keyFingerprint of signing CA keyHostKeyTelnetKeyScrollOnKeyComposeKeyPublicKeySteadycleanup after downstream went awayDisable bidirectional text displayX authority file for local displayX11Displayconfig-nodelayTCPNoDelaypublic_affine_ypublic_yLinuxaux-demo-config-boxPuTTYConfigBoxunixdisplay name '%s' has no ':number' suffixgssapi-keyexLocal\putty-connshare-mutexNTRU Prime / Curve25519 hybrid kexServer's host key did not match any used in previous GSS kexConnection/SSH/Kexhhctrl.ocxprivate_xpublic_affine_xFlashWindowExToUnicodeExPageantRequest%08x%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x%s%02x\'%02x
            Source: uVpytXGpQz.exeString found in binary or memory: config-serial-stopbits
            Source: uVpytXGpQz.exeString found in binary or memory: source-address
            Source: uVpytXGpQz.exeString found in binary or memory: /config-address-family.html
            Source: uVpytXGpQz.exeString found in binary or memory: /config-serial-stopbits.html
            Source: uVpytXGpQz.exeString found in binary or memory: j'/config-ssh-portfwd-address-family.html
            Source: uVpytXGpQz.exeString found in binary or memory: /faq-startmax.html
            Source: uVpytXGpQz.exeString found in binary or memory: /faq-startsess.html
            Source: uVpytXGpQz.exeString found in binary or memory: /faq-startssh.html
            Source: uVpytXGpQz.exeString found in binary or memory: /feedback-address.html
            Source: uVpytXGpQz.exeString found in binary or memory: /pageant-mainwin-addkey.html
            Source: uVpytXGpQz.exeString found in binary or memory: /pageant-start.html
            Source: uVpytXGpQz.exeString found in binary or memory: /plink-starting.html
            Source: uVpytXGpQz.exeString found in binary or memory: /pscp-starting.html
            Source: uVpytXGpQz.exeString found in binary or memory: /psftp-cmd-help.html
            Source: uVpytXGpQz.exeString found in binary or memory: /psftp-starting.html
            Source: unknownProcess created: C:\Users\user\Desktop\uVpytXGpQz.exe "C:\Users\user\Desktop\uVpytXGpQz.exe"
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess created: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe"
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess created: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe"
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeProcess created: C:\Users\user\AppData\Local\poufs\caulds.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe"
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe"
            Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\poufs\caulds.exe "C:\Users\user\AppData\Local\poufs\caulds.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\poufs\caulds.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess created: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" Jump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess created: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeProcess created: C:\Users\user\AppData\Local\poufs\caulds.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\poufs\caulds.exe "C:\Users\user\AppData\Local\poufs\caulds.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\poufs\caulds.exe" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeWindow detected: Number of UI elements: 20
            Source: uVpytXGpQz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: uVpytXGpQz.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: uVpytXGpQz.exeStatic file information: File size 2226176 > 1048576
            Source: uVpytXGpQz.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x21ee00
            Source: uVpytXGpQz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: caulds.exe, 0000000A.00000003.1365281073.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, caulds.exe, 0000000A.00000003.1366935338.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, caulds.exe, 0000000E.00000003.1510471767.0000000004240000.00000004.00001000.00020000.00000000.sdmp, caulds.exe, 0000000E.00000003.1510798124.00000000040A0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: caulds.exe, 0000000A.00000003.1365281073.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, caulds.exe, 0000000A.00000003.1366935338.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, caulds.exe, 0000000E.00000003.1510471767.0000000004240000.00000004.00001000.00020000.00000000.sdmp, caulds.exe, 0000000E.00000003.1510798124.00000000040A0000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A4B37 LoadLibraryA,GetProcAddress,8_2_000A4B37
            Source: EmbeddedExe2.exe.5.drStatic PE information: section name: .00cfg
            Source: EmbeddedExe2.exe.5.drStatic PE information: section name: .gxfg
            Source: EmbeddedExe2.exe.5.drStatic PE information: section name: _RDATA
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeCode function: 5_2_00007FF7C10500BD pushad ; iretd 5_2_00007FF7C10500C1
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000C8945 push ecx; ret 8_2_000C8958
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A2F12 push es; retf 8_2_000A2F13
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0052C4C6 push A30052BAh; retn 0052h10_2_0052C50D
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00548945 push ecx; ret 10_2_00548958
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00522F12 push es; retf 10_2_00522F13
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeFile created: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeFile created: C:\Users\user\AppData\Local\poufs\caulds.exeJump to dropped file
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeFile created: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeJump to dropped file

            Boot Survival

            barindex
            Drops VBS files to the startup folder
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbsJump to dropped file
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbsJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,8_2_000A48D7
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_00125376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,8_2_00125376
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED97B0 IsIconic,ShowWindow,9_2_00007FF68EED97B0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED9610 IsIconic,SetWindowTextW,SetWindowTextA,9_2_00007FF68EED9610
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EED96E0 IsIconic,SetWindowTextW,SetWindowTextA,9_2_00007FF68EED96E0
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_005248D7
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,10_2_005A5376
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000C3187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_000C3187
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeAPI/Special instruction interceptor: Address: 13D7544
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeAPI/Special instruction interceptor: Address: 1828874
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeMemory allocated: 15F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeMemory allocated: 1B110000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000B8C74 sldt word ptr [eax]8_2_000B8C74
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599563Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598959Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598844Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598733Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598625Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598513Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598352Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598141Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598032Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597907Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597782Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597657Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597532Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597407Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597297Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596813Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596688Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596578Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596469Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596344Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596234Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596125Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595986Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595591Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595455Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595327Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595219Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594125Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594013Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593903Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593793Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599874
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599531
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599406
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599296
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599184
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599077
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598968
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598854
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598705
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598419
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598296
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598187
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598078
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597968
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597741
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597531
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597417
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597312
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597203
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597093
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596984
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596874
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596656
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596546
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596437
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596327
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596218
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596105
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595996
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595852
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595562
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595312
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595203
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595093
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594984
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594874
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594656
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594546
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594437
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594328
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594218
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594109
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593999
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593890
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8738Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1092Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1476
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8365
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeEvaded block: after key decision
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeEvaded block: after key decision
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeEvaded block: after key decision
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeEvaded block: after key decision
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_8-103681
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeAPI coverage: 4.7 %
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeAPI coverage: 4.7 %
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeAPI coverage: 6.3 %
            Source: C:\Users\user\Desktop\uVpytXGpQz.exe TID: 8108Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010445A GetFileAttributesW,FindFirstFileW,FindClose,8_2_0010445A
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010C6D1 FindFirstFileW,FindClose,8_2_0010C6D1
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,8_2_0010C75C
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_0010EF95
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_0010F0F2
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_0010F3F3
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_001037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_001037EF
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_00103B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00103B12
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_0010BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_0010BCBC
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF26B00 GetProcAddress,FindFirstFileA,CloseHandle,9_2_00007FF68EF26B00
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF00520 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,9_2_00007FF68EF00520
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF32190 FindFirstFileA,FindClose,FindWindowA,9_2_00007FF68EF32190
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF33F40 FindFirstFileA,FindClose,9_2_00007FF68EF33F40
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058445A GetFileAttributesW,FindFirstFileW,FindClose,10_2_0058445A
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058C6D1 FindFirstFileW,FindClose,10_2_0058C6D1
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_0058C75C
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0058EF95
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0058F0F2
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0058F3F3
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_005837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_005837EF
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00583B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00583B12
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0058BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0058BCBC
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,8_2_000A49A0
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599563Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598959Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598844Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598733Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598625Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598513Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598352Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598141Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598032Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597907Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597782Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597657Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597532Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597407Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597297Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596813Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596688Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596578Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596469Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596344Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596234Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596125Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595986Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595591Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595455Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595327Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595219Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594125Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594013Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593903Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593793Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599874
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599531
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599406
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599296
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599184
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599077
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598968
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598854
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598705
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598419
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598296
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598187
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598078
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597968
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597741
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597531
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597417
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597312
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597203
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597093
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596984
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596874
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596656
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596546
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596437
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596327
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596218
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596105
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595996
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595852
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595562
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595312
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595203
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595093
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594984
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594874
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594656
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594546
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594437
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594328
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594218
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594109
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593999
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593890
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
            Source: RegSvcs.exe, 0000000B.00000002.1504066969.0000000005FE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RegSvcs.exe, 0000000B.00000002.1500953164.0000000000E07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
            Source: RegSvcs.exe, 0000000B.00000002.1504066969.0000000005FE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Q
            Source: wscript.exe, 0000000D.00000002.1458631804.00000183B2204000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
            Source: RegSvcs.exe, 00000012.00000002.1650169645.0000000000C07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: EmbeddedExe2.exe, 00000009.00000002.2540703006.000001D217445000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll99
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeAPI call chain: ExitProcess graph end nodegraph_8-101041
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeAPI call chain: ExitProcess graph end nodegraph_8-102035
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_00113F09 BlockInput,8_2_00113F09
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,8_2_000A3B3A
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000D5A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,8_2_000D5A7C
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A4B37 LoadLibraryA,GetProcAddress,8_2_000A4B37
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_012B5248 mov eax, dword ptr fs:[00000030h]8_2_012B5248
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_012B6918 mov eax, dword ptr fs:[00000030h]8_2_012B6918
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_012B68B8 mov eax, dword ptr fs:[00000030h]8_2_012B68B8
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_013D6140 mov eax, dword ptr fs:[00000030h]10_2_013D6140
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_013D77B0 mov eax, dword ptr fs:[00000030h]10_2_013D77B0
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_013D7810 mov eax, dword ptr fs:[00000030h]10_2_013D7810
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000F80A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,8_2_000F80A9
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000CA124 SetUnhandledExceptionFilter,8_2_000CA124
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000CA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_000CA155
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF8AC78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FF68EF8AC78
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EFA4664 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FF68EFA4664
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0054A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0054A155
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_0054A124 SetUnhandledExceptionFilter,10_2_0054A124
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Maps a DLL or memory area into another process
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 857008Jump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 84E008Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000F87B1 LogonUserW,8_2_000F87B1
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,8_2_000A3B3A
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,8_2_000A48D7
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_00104C27 mouse_event,8_2_00104C27
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess created: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" Jump to behavior
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeProcess created: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe" Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\poufs\caulds.exe "C:\Users\user\AppData\Local\poufs\caulds.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\poufs\caulds.exe" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000F7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,8_2_000F7CAF
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000F874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,8_2_000F874B
            Source: EmbeddedExe1.exe, 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmp, caulds.exe, 0000000A.00000002.1369094437.00000000005D4000.00000040.00000001.01000000.00000009.sdmp, caulds.exe, 0000000E.00000002.1511434241.00000000005D4000.00000040.00000001.01000000.00000009.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: EmbeddedExe1.exe, caulds.exeBinary or memory string: Shell_TrayWnd
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000C862B cpuid 8_2_000C862B
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: MonitorFromWindow,GetMonitorInfoA,GetDesktopWindow,GetClientRect,CreateWindowExW,GetLastError,MonitorFromWindow,MonitorFromWindow,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetWindowRect,GetClientRect,SetWindowPos,CreateBitmap,CreateCaret,SetScrollInfo,GetDoubleClickTime,GetSystemMenu,CreatePopupMenu,AppendMenuA,AppendMenuA,AppendMenuA,CreateMenu,DeleteMenu,DeleteMenu,AppendMenuA,AppendMenuA,GetKeyboardLayout,GetLocaleInfoA,ShowWindow,SetForegroundWindow,GetForegroundWindow,UpdateWindow,MsgWaitForMultipleObjects,PeekMessageW,IsWindow,DispatchMessageW,IsDialogMessageA,PeekMessageA,GetForegroundWindow,MsgWaitForMultipleObjects,DispatchMessageW,PeekMessageW,IsWindow,IsDialogMessageA,9_2_00007FF68EED53E3
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: EnumSystemLocalesW,9_2_00007FF68EFA2EDC
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: GetLocaleInfoW,9_2_00007FF68EFA23A8
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_00007FF68EFA9FB8
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: GetLocaleInfoA,DefWindowProcW,9_2_00007FF68EED1B9F
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: EnumSystemLocalesW,9_2_00007FF68EFA9D30
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: EnumSystemLocalesW,9_2_00007FF68EFA9A14
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_00007FF68EFA9714
            Source: C:\Users\user\Desktop\uVpytXGpQz.exeQueries volume information: C:\Users\user\Desktop\uVpytXGpQz.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF7B700 CreateNamedPipeA,CloseHandle,CreateNamedPipeA,ConnectNamedPipe,GetLastError,CloseHandle,GetLastError,9_2_00007FF68EF7B700
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000D4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,8_2_000D4E87
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000E1E06 GetUserNameW,8_2_000E1E06
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000D3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,8_2_000D3F3A
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000A49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,8_2_000A49A0
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 10.2.caulds.exe.1360000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.caulds.exe.3bc0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.caulds.exe.3bc0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.caulds.exe.1360000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.1651176289.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1502078806.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: caulds.exe PID: 7396, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1824, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: caulds.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8128, type: MEMORYSTR
            Source: caulds.exeBinary or memory string: WIN_81
            Source: caulds.exeBinary or memory string: WIN_XP
            Source: caulds.exeBinary or memory string: WIN_XPe
            Source: caulds.exeBinary or memory string: WIN_VISTA
            Source: caulds.exeBinary or memory string: WIN_7
            Source: caulds.exeBinary or memory string: WIN_8
            Source: caulds.exe, 0000000E.00000002.1511434241.00000000005D4000.00000040.00000001.01000000.00000009.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
            Source: Yara matchFile source: 10.2.caulds.exe.1360000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.caulds.exe.3bc0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.caulds.exe.3bc0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.caulds.exe.1360000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: caulds.exe PID: 7396, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1824, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: caulds.exe PID: 7480, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 10.2.caulds.exe.1360000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.caulds.exe.3bc0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.caulds.exe.3bc0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.caulds.exe.1360000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.1651176289.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1502078806.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: caulds.exe PID: 7396, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1824, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: caulds.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8128, type: MEMORYSTR
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_00116283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,8_2_00116283
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_00116747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,8_2_00116747
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exeCode function: 8_2_000D7AA1 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,8_2_000D7AA1
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF0FE90 socket,SetHandleInformation,setsockopt,getaddrinfo,htons,inet_addr,htonl,htonl,htons,bind,listen,closesocket,WSAGetLastError,closesocket,closesocket,WSAGetLastError,9_2_00007FF68EF0FE90
            Source: C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exeCode function: 9_2_00007FF68EF0F930 closesocket,socket,SetHandleInformation,setsockopt,setsockopt,setsockopt,htonl,htons,bind,WSAGetLastError,WSAGetLastError,htons,htonl,htons,connect,WSAGetLastError,9_2_00007FF68EF0F930
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00596283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,10_2_00596283
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00596747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,10_2_00596747
            Source: C:\Users\user\AppData\Local\poufs\caulds.exeCode function: 10_2_00557AA1 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,10_2_00557AA1

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information111
            Scripting            		2
            Valid Accounts            		3
            Native API            		111
            Scripting            		1
            Exploitation for Privilege Escalation            		11
            Disable or Modify Tools            		21
            Input Capture            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol21
            Input Capture            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt2
            Valid Accounts            		2
            Valid Accounts            		21
            Obfuscated Files or Information            		Security Account Manager3
            File and Directory Discovery            		SMB/Windows Admin Shares3
            Clipboard Data            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron2
            Registry Run Keys / Startup Folder            		21
            Access Token Manipulation            		1
            Software Packing            		NTDS136
            System Information Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script213
            Process Injection            		1
            DLL Side-Loading            		LSA Secrets231
            Security Software Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
            Registry Run Keys / Startup Folder            		1
            Masquerading            		Cached Domain Credentials41
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Valid Accounts            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
            Virtualization/Sandbox Evasion            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
            Access Token Manipulation            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron213
            Process Injection            		Network Sniffing1
            System Network Configuration Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588380 Sample: uVpytXGpQz.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 62 reallyfreegeoip.org 2->62 64 checkip.dyndns.org 2->64 66 checkip.dyndns.com 2->66 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus / Scanner detection for submitted sample 2->82 86 8 other signatures 2->86 11 uVpytXGpQz.exe 5 2->11         started        14 wscript.exe 1 2->14         started        signatures3 84 Tries to detect the country of the analysis system (by using the IP) 62->84 process4 file5 50 C:\Users\user\AppData\...mbeddedExe2.exe, PE32+ 11->50 dropped 52 C:\Users\user\AppData\...mbeddedExe1.exe, PE32 11->52 dropped 54 C:\Users\user\AppData\...\uVpytXGpQz.exe.log, CSV 11->54 dropped 17 EmbeddedExe1.exe 4 11->17         started        21 EmbeddedExe2.exe 11->21         started        23 conhost.exe 11->23         started        96 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->96 25 caulds.exe 1 14->25         started        signatures6 process7 file8 48 C:\Users\user\AppData\Local\...\caulds.exe, PE32 17->48 dropped 68 Multi AV Scanner detection for dropped file 17->68 70 Binary is likely a compiled AutoIt script file 17->70 72 Machine Learning detection for dropped file 17->72 27 caulds.exe 2 17->27         started        74 Writes to foreign memory regions 25->74 76 Maps a DLL or memory area into another process 25->76 31 RegSvcs.exe 3 25->31         started        signatures9 process10 file11 56 C:\Users\user\AppData\Roaming\...\caulds.vbs, data 27->56 dropped 88 Multi AV Scanner detection for dropped file 27->88 90 Binary is likely a compiled AutoIt script file 27->90 92 Machine Learning detection for dropped file 27->92 94 4 other signatures 27->94 33 RegSvcs.exe 15 4 27->33         started        36 cmd.exe 31->36         started        signatures12 process13 dnsIp14 58 checkip.dyndns.com 132.226.8.169, 49750, 49771, 49781 UTMEMUS United States 33->58 60 reallyfreegeoip.org 104.21.64.1, 443, 49759, 49766 CLOUDFLARENETUS United States 33->60 38 cmd.exe 1 33->38         started        40 conhost.exe 36->40         started        42 choice.exe 36->42         started        process15 process16 44 conhost.exe 38->44         started        46 choice.exe 1 38->46         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            uVpytXGpQz.exe71%VirustotalBrowse
            uVpytXGpQz.exe68%ReversingLabsWin32.Trojan.AutoitInject
            uVpytXGpQz.exe100%AviraTR/Dropper.Gen
            uVpytXGpQz.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\poufs\caulds.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe63%ReversingLabsWin32.Trojan.AutoitInject
            C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe69%VirustotalBrowse
            C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe0%VirustotalBrowse
            C:\Users\user\AppData\Local\poufs\caulds.exe63%ReversingLabsWin32.Trojan.AutoitInject

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            reallyfreegeoip.org
            		104.21.64.1
            		truefalse
              		high
              checkip.dyndns.com
              		132.226.8.169
              		truefalse
                		high
                checkip.dyndns.org
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/false
                    		high
                    https://reallyfreegeoip.org/xml/8.46.123.189false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tuVpytXGpQz.exe, EmbeddedExe2.exe.5.drfalse
                        		high
                        https://sectigo.com/CPS0uVpytXGpQz.exe, EmbeddedExe2.exe.5.drfalse
                          		high
                          http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yuVpytXGpQz.exe, EmbeddedExe2.exe.5.drfalse
                            		high
                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0uVpytXGpQz.exe, EmbeddedExe2.exe.5.drfalse
                              		high
                              http://ocsp.sectigo.com0uVpytXGpQz.exe, EmbeddedExe2.exe.5.drfalse
                                		high
                                https://www.chiark.greenend.org.uk/~sgtatham/putty/uVpytXGpQz.exe, EmbeddedExe2.exe.5.drfalse
                                  		high
                                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#uVpytXGpQz.exe, EmbeddedExe2.exe.5.drfalse
                                    		high
                                    http://checkip.dyndns.org/qcaulds.exe, 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, caulds.exe, 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://reallyfreegeoip.orgRegSvcs.exe, 0000000B.00000002.1502078806.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#uVpytXGpQz.exe, EmbeddedExe2.exe.5.drfalse
                                            		high
                                            https://reallyfreegeoip.orgRegSvcs.exe, 0000000B.00000002.1502078806.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A09000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.orgRegSvcs.exe, 0000000B.00000002.1502078806.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002AD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AD3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A09000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.00000000029FD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://checkip.dyndns.comRegSvcs.exe, 0000000B.00000002.1502078806.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A09000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002AF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#uVpytXGpQz.exe, EmbeddedExe2.exe.5.drfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 0000000B.00000002.1502078806.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.chiark.greenend.org.uk/~sgtatham/putty/0uVpytXGpQz.exe, EmbeddedExe2.exe.5.drfalse
                                                        		high
                                                        https://reallyfreegeoip.org/xml/caulds.exe, 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1502078806.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, caulds.exe, 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1651176289.0000000002A09000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          132.226.8.169
                                                          		checkip.dyndns.comUnited States
                                                          		16989UTMEMUSfalse
                                                          104.21.64.1
                                                          		reallyfreegeoip.orgUnited States
                                                          		13335CLOUDFLARENETUSfalse

                                                          General Information

                                                          Joe Sandbox version:42.0.0 Malachite
                                                          Analysis ID:1588380
                                                          Start date and time:2025-01-11 01:36:24 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 8m 56s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:25
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:uVpytXGpQz.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.expl.evad.winEXE@25/10@2/2
                                                          EGA Information:
                                                          • Successful, ratio: 75%
                                                          HCA Information:
                                                          • Successful, ratio: 97%
                                                          • Number of executed functions: 61
                                                          • Number of non-executed functions: 280
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target uVpytXGpQz.exe, PID 7948 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          01:37:25AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs
                                                          19:37:27API Interceptor174x Sleep call for process: RegSvcs.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          132.226.8.169H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • checkip.dyndns.org/
                                                          b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          FylY1FW6fl.exeGet hashmaliciousMassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          v4nrZtP7K2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          ppISxhDcpF.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          CvzLvta2bG.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • checkip.dyndns.org/
                                                          xom6WSISuh.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • checkip.dyndns.org/
                                                          104.21.64.14sfN3Gx1vO.exeGet hashmaliciousFormBookBrowse
                                                          • www.vilakodsiy.sbs/w7eo/
                                                          1162-201.exeGet hashmaliciousFormBookBrowse
                                                          • www.mzkd6gp5.top/utww/
                                                          QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                          • www.mzkd6gp5.top/3u0p/
                                                          Sales Acknowledgement - HES #982323.pdfGet hashmaliciousUnknownBrowse
                                                          • ordrr.statementquo.com/QCbxA/
                                                          SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                          • adsfirm.com/administrator/index.php
                                                          PO2412010.exeGet hashmaliciousFormBookBrowse
                                                          • www.bser101pp.buzz/v89f/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          reallyfreegeoip.org6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.80.1
                                                          4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 104.21.32.1
                                                          VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.48.1
                                                          h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.96.1
                                                          yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 104.21.112.1
                                                          VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.16.1
                                                          h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.96.1
                                                          tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.32.1
                                                          TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.80.1
                                                          Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.16.1
                                                          checkip.dyndns.com6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 193.122.6.168
                                                          4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 132.226.247.73
                                                          VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 193.122.130.0
                                                          h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 193.122.130.0
                                                          yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 158.101.44.242
                                                          4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                                          • 193.122.130.0
                                                          VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 158.101.44.242
                                                          h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 193.122.6.168
                                                          tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 193.122.130.0
                                                          TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 132.226.247.73

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          UTMEMUS4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 132.226.247.73
                                                          TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 132.226.247.73
                                                          Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 132.226.247.73
                                                          H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                                          • 132.226.8.169
                                                          z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                          • 132.226.247.73
                                                          Ddj3E3qerh.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 132.226.247.73
                                                          6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 132.226.247.73
                                                          7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 132.226.8.169
                                                          rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 132.226.247.73
                                                          4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 132.226.247.73
                                                          CLOUDFLARENETUS6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.80.1
                                                          4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 104.21.32.1
                                                          BcF3o0Egke.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.15.100
                                                          VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.48.1
                                                          h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.96.1
                                                          ukBQ4ch2nE.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 104.21.112.1
                                                          JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                          • 104.16.185.241
                                                          VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.16.1
                                                          http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
                                                          • 188.114.97.3

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          54328bd36c14bd82ddaa0c04b25ed9ad6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.64.1
                                                          4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 104.21.64.1
                                                          VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.64.1
                                                          h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.64.1
                                                          yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 104.21.64.1
                                                          VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.64.1
                                                          h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.64.1
                                                          tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.64.1
                                                          TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.64.1
                                                          Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.64.1

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe8kDIr4ZdNj.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            filepdf.pdf.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                              Invoice-UPS-218931.pdf.lnk.mal.lnkGet hashmaliciousUnknownBrowse

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uVpytXGpQz.exe.log

                                                                Download File
                                                                Process:C:\Users\user\Desktop\uVpytXGpQz.exe
                                                                File Type:CSV text
                                                                Category:dropped
                                                                Size (bytes):226
                                                                Entropy (8bit):5.355760272568367
                                                                Encrypted:false
                                                                SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2FDkwIyp1v:Q3La/KDLI4MWuPXcp1v
                                                                MD5:FC3575D5BE1A5405683DC33B66D36243
                                                                SHA1:1C816D34B7D5B96E077DC3EF640BA8C7BA370502
                                                                SHA-256:1D7F7FBA862417A1D0351C1BF454F1A9BB0ED7FFD5DF1112EED802C01BDDA50C
                                                                SHA-512:68914FE00F8550A623074F9ACC31ACEF8A3F6DFDDBD9FDA23512079BEC5E8A4D4E82BC8CD8D536E6C88F4DA3A704AC376785B44343BD3BED83E440857A3C0164
                                                                Malicious:true
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

                                                                Download File
                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1039
                                                                Entropy (8bit):5.353332853270839
                                                                Encrypted:false
                                                                SSDEEP:24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
                                                                MD5:A4AF0F36EC4E0C69DC0F860C891E8BBE
                                                                SHA1:28DD81A1EDDF71CBCBF86DA986E047279EF097CD
                                                                SHA-256:B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
                                                                SHA-512:A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
                                                                Malicious:false
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

                                                                C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\uVpytXGpQz.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                Category:dropped
                                                                Size (bytes):558080
                                                                Entropy (8bit):7.925927380448633
                                                                Encrypted:false
                                                                SSDEEP:12288:NquErHF6xC9D6DmR1J98w4oknqOOCyQfZYQignEMlsFqqYJiWn1:wrl6kD68JmlotQfZsgnEHPWn1
                                                                MD5:47310E2D76477F79641F8703027A60B0
                                                                SHA1:BBA7157BFAB11D11B6912CB0012E117DE61D175A
                                                                SHA-256:54F08D458C3A9B5B6553E6BC6810FD9071D7BC2A517576D4DCC45B1CA0A47D1F
                                                                SHA-512:CCF55E9915002E828FEEC50C58EC1CCAC378C0B1A1E081E5B2E542457FF4A2866AEBAEEEB40BFE6188938B4E1DC0BC1C770E33A012752D28429F8B14ED7FB7F7
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                • Antivirus: Virustotal, Detection: 69%, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L....BRg.........."......`...0...@......P........@.......................................@...@.......@.........................$.......................................................................H...........................................UPX0.....@..............................UPX1.....`...P...\..................@....rsrc....0.......$...`..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                                                C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\uVpytXGpQz.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1663264
                                                                Entropy (8bit):6.929148215184974
                                                                Encrypted:false
                                                                SSDEEP:49152:Plp9tHfYoEaTSiz23THT3WSMpDgF/qB0Rj6KIeVSc/zui+:PX/LEQkF/qBk6K2c/ii+
                                                                MD5:5EFEF6CC9CD24BAEEED71C1107FC32DF
                                                                SHA1:3CFC9764083154F682A38831C8229E3E29CBE3EF
                                                                SHA-256:E61B8F44AB92CF0F9CB1101347967D31E1839979142A4114A7DD02AA237BA021
                                                                SHA-512:CECD98F0E238D7387B44838251B795BB95E85EC8D35242FC24532BA21929759685205133923268BF8BC0E2DED37DB7D88ECBE2B692D2BE6F09C6D92A57D1FDAC
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                Joe Sandbox View:
                                                                • Filename: 8kDIr4ZdNj.exe, Detection: malicious, Browse
                                                                • Filename: filepdf.pdf.lnk.download.lnk, Detection: malicious, Browse
                                                                • Filename: Invoice-UPS-218931.pdf.lnk.mal.lnk, Detection: malicious, Browse
                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."............................@....................................q ....`..................................................H..........@.......8m...... W...................................=..(...0...@............S...............................text...V........................... ..`.rdata..\...........................@..@.data....U..........................@....pdata..8m.......n..................@..@.00cfg..8...........................@..@.gxfg...`*.......,..................@..@.tls.................:..............@..._RDATA..\............<..............@..@.rsrc...@............>..............@..@.reloc........... ..................@..B........................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\aut7F73.tmp

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):97080
                                                                Entropy (8bit):7.921976746904169
                                                                Encrypted:false
                                                                SSDEEP:1536:qKOEpOdu51DV1PSJrkdk3deVbNGYUAfi1+oxkUCjoitAp5+7Qatw:qKxpOdu51DVZQrkWdcb59fiTxkFstp0+
                                                                MD5:0A1DC59B5A2342A040748B933B272286
                                                                SHA1:FD66081CE948153DD63855B828CB2CF29E458C13
                                                                SHA-256:4DF324595FE5DBDE0BD08A591D4CFC8B09EF04A017CAF85A303B7A61C9F30C21
                                                                SHA-512:38F4ADC2ED72ADF1A95F9B4E3A4444B954A2429B86CD0B516A70756F0B9473312480651B3BEA067C05C09A0F0FBCCABA6898FD2E1658D4EE563CB8C31F75696B
                                                                Malicious:false
                                                                Preview:EA06.....C44y.J.E.ShU.~.E.L)....7.Th.i..r.4T....".E...f..5....^...u.%..{../y..F}X.FdSYT..#..%rI\..9.N*V.,..e......R.?.I...-".t.N..)E._h..z...4k[J.M..h.F...Q.4`.,[..z-B .hE...D..1..A.z.6..i.H...:<..i.."...L+....i..5p..T.4;..T*0....E..k.._4.wR...}.._e..."..r...Ta....O$.. .....&.+......h@....S.\..5..............`.....T!...."......,...=..s..."......X...'..J.E.[.u.F.E......6c..Q*. ...k.V.q..kg./G..k.....C.N..5;.4/..DH.....P.Bn.4]...x.q9.4$.....8......BT.hU...`..N.[l.....|....:...1...6P...[.R(3k..@.Mi.z...V..w5.-.}g.T(\Z...9.M..R.V..lu*&.K.V.r{...:..t.*\.J..&4X..!X../..^.V.Sj7..6k...6..j.R..5.E>cY.Si....A{..#09.J.o.L...e..z.L.u..&9R....:<.l..-..H..n.F..Jt.3..m..[R..@..x....X.S......R..+.....T.R......N..j....A....*..QE...{.j..DUh..sX......I....*t....T*....=.Dh.....p.....].....U.-.^..=.S..Qh}.u6.^.....}B...T(...6.^.S'........4z%..3...z-J.@.V...mD....S.......@.....z.Qh.:l..Z...5*..W_...[.}.O;.Qh7..>c.....D...{%bW...#t...kN.v.......ZkW.U..-.N6......['7

                                                                C:\Users\user\AppData\Local\Temp\aut907B.tmp

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\poufs\caulds.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):97080
                                                                Entropy (8bit):7.921976746904169
                                                                Encrypted:false
                                                                SSDEEP:1536:qKOEpOdu51DV1PSJrkdk3deVbNGYUAfi1+oxkUCjoitAp5+7Qatw:qKxpOdu51DVZQrkWdcb59fiTxkFstp0+
                                                                MD5:0A1DC59B5A2342A040748B933B272286
                                                                SHA1:FD66081CE948153DD63855B828CB2CF29E458C13
                                                                SHA-256:4DF324595FE5DBDE0BD08A591D4CFC8B09EF04A017CAF85A303B7A61C9F30C21
                                                                SHA-512:38F4ADC2ED72ADF1A95F9B4E3A4444B954A2429B86CD0B516A70756F0B9473312480651B3BEA067C05C09A0F0FBCCABA6898FD2E1658D4EE563CB8C31F75696B
                                                                Malicious:false
                                                                Preview:EA06.....C44y.J.E.ShU.~.E.L)....7.Th.i..r.4T....".E...f..5....^...u.%..{../y..F}X.FdSYT..#..%rI\..9.N*V.,..e......R.?.I...-".t.N..)E._h..z...4k[J.M..h.F...Q.4`.,[..z-B .hE...D..1..A.z.6..i.H...:<..i.."...L+....i..5p..T.4;..T*0....E..k.._4.wR...}.._e..."..r...Ta....O$.. .....&.+......h@....S.\..5..............`.....T!...."......,...=..s..."......X...'..J.E.[.u.F.E......6c..Q*. ...k.V.q..kg./G..k.....C.N..5;.4/..DH.....P.Bn.4]...x.q9.4$.....8......BT.hU...`..N.[l.....|....:...1...6P...[.R(3k..@.Mi.z...V..w5.-.}g.T(\Z...9.M..R.V..lu*&.K.V.r{...:..t.*\.J..&4X..!X../..^.V.Sj7..6k...6..j.R..5.E>cY.Si....A{..#09.J.o.L...e..z.L.u..&9R....:<.l..-..H..n.F..Jt.3..m..[R..@..x....X.S......R..+.....T.R......N..j....A....*..QE...{.j..DUh..sX......I....*t....T*....=.Dh.....p.....].....U.-.^..=.S..Qh}.u6.^.....}B...T(...6.^.S'........4z%..3...z-J.@.V...mD....S.......@.....z.Qh.:l..Z...5*..W_...[.}.O;.Qh7..>c.....D...{%bW...#t...kN.v.......ZkW.U..-.N6......['7

                                                                C:\Users\user\AppData\Local\Temp\autC3B0.tmp

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\poufs\caulds.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):97080
                                                                Entropy (8bit):7.921976746904169
                                                                Encrypted:false
                                                                SSDEEP:1536:qKOEpOdu51DV1PSJrkdk3deVbNGYUAfi1+oxkUCjoitAp5+7Qatw:qKxpOdu51DVZQrkWdcb59fiTxkFstp0+
                                                                MD5:0A1DC59B5A2342A040748B933B272286
                                                                SHA1:FD66081CE948153DD63855B828CB2CF29E458C13
                                                                SHA-256:4DF324595FE5DBDE0BD08A591D4CFC8B09EF04A017CAF85A303B7A61C9F30C21
                                                                SHA-512:38F4ADC2ED72ADF1A95F9B4E3A4444B954A2429B86CD0B516A70756F0B9473312480651B3BEA067C05C09A0F0FBCCABA6898FD2E1658D4EE563CB8C31F75696B
                                                                Malicious:false
                                                                Preview:EA06.....C44y.J.E.ShU.~.E.L)....7.Th.i..r.4T....".E...f..5....^...u.%..{../y..F}X.FdSYT..#..%rI\..9.N*V.,..e......R.?.I...-".t.N..)E._h..z...4k[J.M..h.F...Q.4`.,[..z-B .hE...D..1..A.z.6..i.H...:<..i.."...L+....i..5p..T.4;..T*0....E..k.._4.wR...}.._e..."..r...Ta....O$.. .....&.+......h@....S.\..5..............`.....T!...."......,...=..s..."......X...'..J.E.[.u.F.E......6c..Q*. ...k.V.q..kg./G..k.....C.N..5;.4/..DH.....P.Bn.4]...x.q9.4$.....8......BT.hU...`..N.[l.....|....:...1...6P...[.R(3k..@.Mi.z...V..w5.-.}g.T(\Z...9.M..R.V..lu*&.K.V.r{...:..t.*\.J..&4X..!X../..^.V.Sj7..6k...6..j.R..5.E>cY.Si....A{..#09.J.o.L...e..z.L.u..&9R....:<.l..-..H..n.F..Jt.3..m..[R..@..x....X.S......R..+.....T.R......N..j....A....*..QE...{.j..DUh..sX......I....*t....T*....=.Dh.....p.....].....U.-.^..=.S..Qh}.u6.^.....}B...T(...6.^.S'........4z%..3...z-J.@.V...mD....S.......@.....z.Qh.:l..Z...5*..W_...[.}.O;.Qh7..>c.....D...{%bW...#t...kN.v.......ZkW.U..-.N6......['7

                                                                C:\Users\user\AppData\Local\Temp\vitraillist

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):134144
                                                                Entropy (8bit):6.940368794964889
                                                                Encrypted:false
                                                                SSDEEP:3072:R6qFC6I+GxZJ1DZ9cW6nwKvwA8gxzWbooBwmhicFsQIwyna8WomTk:1FJI+GxHK4ADe0mhicFYwynxWzk
                                                                MD5:674D3B46E4B1C0960A436E5B4B3F50DC
                                                                SHA1:D872AFD8AC737F8B79223C0E6E933BB588F86880
                                                                SHA-256:224B7426C2FF4C7DA5EA10B3DE8D5319CB8F5C5B8A0D6CF7138BAF11581A0FD0
                                                                SHA-512:8AAA777C4EFA4FFD0935335E0F7E11CC8A004846B1B625FD1ACC0A8FE52D3718144437F9744DEC2A78CF305295B2106BE515CB24C3B4A6CBD8C1815E178B84A9
                                                                Malicious:false
                                                                Preview:...G:RGEVMBZ..EE.0MJZ7M7.QEV1G9RGERMBZPHEEP0MJZ7M7RQEV1G9RGE.MBZ^W.KP.D.{.L{.p.>X4."5*5?#7p+$+>_9j8RmE'?e?_g}..e?"&?~EHOt0MJZ7M7..EV}F:R.h.+BZPHEEP0.JX6F6.QE.0G9FGERMBZn\GEP.MJZ.O7RQ.V1g9RGGRMFZPHEEP0IJZ7M7RQE63G9PGERMBZRH..P0]JZ'M7RQUV1W9RGERMRZPHEEP0MJZ7.$PQ.V1G9rEE9]BZPHEEP0MJZ7M7RQEV1.;RKERMBZPHEEP0MJZ7M7RQEV1G9RGERMBZPHEEP0MJZ7M7RQEV1G9RGeRMJZPHEEP0MJZ7E.RQ.V1G9RGERMBZ~< =$0MJ..L7RqEV1.8RGGRMBZPHEEP0MJZ7m7R1k$B5ZRGE9]BZPhGEP"MJZ.L7RQEV1G9RGERM.ZP.k75\")Z7A7RQE.3G9PGERG@ZPHEEP0MJZ7M7.QE.1G9RGERMBZPHEEP0m^X7M7RQ.V1G;RBE.oCZ..EES0MJ.7M1.pDV.G9RGERMBZPHEEP0MJZ7M7RQEV1G9RGERMBZPHEEP0MJ.J.8..?B..RGERMB[RKACX8MJZ7M7RQ;V1G.RGE.MBZgHEEu0MJ77M7vQEVOG9R9ERM&ZPH7EP0,JZ7.7RQ*V1GWRGE,MBZNJmeP0G`|7O.sQE\1m.!eERG.[PHA6s0M@.5M7V"aV1M.QGEV>gZPB.AP0I9|7M=.TEV5mcRD.DKBZK'|EP:MI."K7RJop1E.hGEXMh|PK.PV0MQp.M5.XEV5mo!ZERKj.PHO1Y0MH.=M7V{[T..9RMop3RZPLnEz.3[Z7I.R{g(#G9VlExo<IPHAnP.o4N7M3yQoH3.-RGAxo<OPHAnP.o4L7M3yQotOP9RCnRg\X._EET.K`87?.NQ5U^.9RAm.MBPx(EEV0gpZIm7RUG9.G9Xao.M@rTIEOP2N7l7M3PU8a1G=x.EP6{Z

                                                                C:\Users\user\AppData\Local\poufs\caulds.exe

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                Category:dropped
                                                                Size (bytes):558080
                                                                Entropy (8bit):7.925927380448633
                                                                Encrypted:false
                                                                SSDEEP:12288:NquErHF6xC9D6DmR1J98w4oknqOOCyQfZYQignEMlsFqqYJiWn1:wrl6kD68JmlotQfZsgnEHPWn1
                                                                MD5:47310E2D76477F79641F8703027A60B0
                                                                SHA1:BBA7157BFAB11D11B6912CB0012E117DE61D175A
                                                                SHA-256:54F08D458C3A9B5B6553E6BC6810FD9071D7BC2A517576D4DCC45B1CA0A47D1F
                                                                SHA-512:CCF55E9915002E828FEEC50C58EC1CCAC378C0B1A1E081E5B2E542457FF4A2866AEBAEEEB40BFE6188938B4E1DC0BC1C770E33A012752D28429F8B14ED7FB7F7
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L....BRg.........."......`...0...@......P........@.......................................@...@.......@.........................$.......................................................................H...........................................UPX0.....@..............................UPX1.....`...P...\..................@....rsrc....0.......$...`..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\poufs\caulds.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):262
                                                                Entropy (8bit):3.4381719499824994
                                                                Encrypted:false
                                                                SSDEEP:6:DMM8lfm3OOQdUfclq7UEZ+lX1ylG0c6nriIM8lfQVn:DsO+vNlq7Q1yMgmA2n
                                                                MD5:FBF772BA54447C20E1EDC588014BA01A
                                                                SHA1:FBE1552E80E532FD224C7020EDD8782D70202F70
                                                                SHA-256:AEC63B0D54E4A2E4CC674C13B2EDE5BC360D8F5CCEDF73A4CD1F07F06F1EBA53
                                                                SHA-512:D52DF4994F44CFC7DE6BB5B92FB42BCE60B4D850AA1CF26499C41CFE11E9B10DD2D4C186FDCD17E12DB0D10B46A91D3E26E795E52D79AE1D627B83F868095256
                                                                Malicious:true
                                                                Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.o.u.f.s.\.c.a.u.l.d.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):7.2615368179706286
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.55%
                                                                • Win32 Executable (generic) a (10002005/4) 49.50%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • InstallShield setup (43055/19) 0.21%
                                                                • UPX compressed Win32 Executable (30571/9) 0.15%
                                                                File name:uVpytXGpQz.exe
                                                                File size:2'226'176 bytes
                                                                MD5:022dbaa1df24d488b03ecb058a521613
                                                                SHA1:9f12948c741b6b27cce58d4cd804a2f988feddf2
                                                                SHA256:539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8
                                                                SHA512:1d23c5d6a8b384e2c746865da221a14d6cb7f9260597c4785ae527798e9215027bbc089b5214389ff2bbae180ba6cbec547df6c5d901ff6a56d2fb4909e50880
                                                                SSDEEP:49152:0l328U2yfZrnJhlp9tHfYoEaTSiz23THT3WSMpDgF/qB0Rj6KIeVSc/zui:a30DfJJhX/LEQkF/qBk6K2c/ii
                                                                TLSH:9FA5D017B29610EDC06EC178C7665111E971BC844B347AEF17A8A7292E32FD06F3EB25
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....FRg..................!...........".. ... "...@.. .......................`"...........@................................

                                                                File Icon

                                                                Icon Hash:90cececece8e8eb0

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x620cce
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows cui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x67524615 [Fri Dec 6 00:32:21 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x220c740x57.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x2220000x508.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x2240000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x21ecd40x21ee00451a3e2fcacc1a9b64dd5add0f9c87f2unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rsrc0x2220000x5080x600bea7b72de652d7e331682b7b576aeb24False0.3828125data3.83647344143046IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x2240000xc0x2005a45e9b8d243ec56409efd7cd29cb872False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_VERSION0x2220a00x274data0.4570063694267516
                                                                RT_MANIFEST0x2223180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2025-01-11T01:37:27.400991+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049750132.226.8.16980TCP
                                                                2025-01-11T01:37:28.521750+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049750132.226.8.16980TCP
                                                                2025-01-11T01:37:29.085992+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049766104.21.64.1443TCP
                                                                2025-01-11T01:37:29.961947+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049771132.226.8.16980TCP
                                                                2025-01-11T01:37:30.571070+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049777104.21.64.1443TCP
                                                                2025-01-11T01:37:32.138874+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049789104.21.64.1443TCP
                                                                2025-01-11T01:37:33.625908+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049797104.21.64.1443TCP
                                                                2025-01-11T01:37:35.068708+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049811104.21.64.1443TCP
                                                                2025-01-11T01:37:36.589745+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049822104.21.64.1443TCP
                                                                2025-01-11T01:37:41.601938+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049847132.226.8.16980TCP
                                                                2025-01-11T01:37:43.117648+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049847132.226.8.16980TCP
                                                                2025-01-11T01:37:43.730191+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049864104.21.64.1443TCP
                                                                2025-01-11T01:37:44.945694+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049868132.226.8.16980TCP
                                                                2025-01-11T01:37:45.546352+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049874104.21.64.1443TCP
                                                                2025-01-11T01:37:50.879452+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049907104.21.64.1443TCP
                                                                2025-01-11T01:37:53.956541+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049931104.21.64.1443TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 11, 2025 01:37:26.183254004 CET4975080192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:26.188110113 CET8049750132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:26.188179970 CET4975080192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:26.188513041 CET4975080192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:26.193253994 CET8049750132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:27.037596941 CET8049750132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:27.044996023 CET4975080192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:27.049762964 CET8049750132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:27.348889112 CET8049750132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:27.400990963 CET4975080192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:27.464236021 CET49759443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:27.464255095 CET44349759104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:27.464308977 CET49759443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:27.469645023 CET49759443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:27.469659090 CET44349759104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:27.949354887 CET44349759104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:27.949451923 CET49759443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:27.954375029 CET49759443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:27.954386950 CET44349759104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:27.954694033 CET44349759104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:28.008152008 CET49759443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:28.019013882 CET49759443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:28.059340954 CET44349759104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:28.150975943 CET44349759104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:28.151031017 CET44349759104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:28.151077032 CET49759443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:28.158313990 CET49759443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:28.162542105 CET4975080192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:28.167345047 CET8049750132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:28.465300083 CET8049750132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:28.468472958 CET49766443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:28.468512058 CET44349766104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:28.468565941 CET49766443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:28.469039917 CET49766443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:28.469054937 CET44349766104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:28.521749973 CET4975080192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:28.944752932 CET44349766104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:28.947272062 CET49766443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:28.947283983 CET44349766104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:29.086080074 CET44349766104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:29.086153030 CET44349766104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:29.086200953 CET49766443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:29.086815119 CET49766443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:29.090120077 CET4975080192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:29.091523886 CET4977180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:29.095079899 CET8049750132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:29.095180988 CET4975080192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:29.096303940 CET8049771132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:29.096452951 CET4977180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:29.096544027 CET4977180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:29.101316929 CET8049771132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:29.912506104 CET8049771132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:29.933173895 CET49777443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:29.933207989 CET44349777104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:29.940937996 CET49777443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:29.940937996 CET49777443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:29.940964937 CET44349777104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:29.961946964 CET4977180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:30.420443058 CET44349777104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:30.422291040 CET49777443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:30.422308922 CET44349777104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:30.571093082 CET44349777104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:30.571187019 CET44349777104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:30.571233034 CET49777443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:30.571607113 CET49777443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:30.576597929 CET4978180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:30.581401110 CET8049781132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:30.581475019 CET4978180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:30.581552982 CET4978180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:30.586253881 CET8049781132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:31.546086073 CET8049781132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:31.548388004 CET49789443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:31.548432112 CET44349789104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:31.551152945 CET49789443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:31.551368952 CET49789443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:31.551378965 CET44349789104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:31.587353945 CET4978180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:32.007998943 CET44349789104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:32.009777069 CET49789443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:32.009797096 CET44349789104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:32.138900995 CET44349789104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:32.138959885 CET44349789104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:32.139489889 CET49789443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:32.139489889 CET49789443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:32.142463923 CET4978180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:32.143522024 CET4979480192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:32.147479057 CET8049781132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:32.147645950 CET4978180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:32.148399115 CET8049794132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:32.148559093 CET4979480192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:32.148559093 CET4979480192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:32.153465033 CET8049794132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:32.983073950 CET8049794132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:32.987241030 CET49797443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:32.987274885 CET44349797104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:32.987346888 CET49797443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:32.987881899 CET49797443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:32.987895966 CET44349797104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:33.023771048 CET4979480192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:33.468548059 CET44349797104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:33.470472097 CET49797443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:33.470504045 CET44349797104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:33.626004934 CET44349797104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:33.626169920 CET44349797104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:33.626234055 CET49797443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:33.626789093 CET49797443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:33.630466938 CET4979480192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:33.631660938 CET4980480192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:33.636864901 CET8049794132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:33.636919022 CET4979480192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:33.637725115 CET8049804132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:33.637799978 CET4980480192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:33.637880087 CET4980480192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:33.642637014 CET8049804132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:34.466528893 CET8049804132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:34.468240023 CET49811443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:34.468286991 CET44349811104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:34.468359947 CET49811443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:34.468724966 CET49811443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:34.468736887 CET44349811104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:34.508203983 CET4980480192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:34.924271107 CET44349811104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:34.933340073 CET49811443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:34.933357000 CET44349811104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:35.068716049 CET44349811104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:35.068783998 CET44349811104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:35.069020987 CET49811443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:35.069346905 CET49811443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:35.081798077 CET4980480192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:35.082753897 CET4981780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:35.086811066 CET8049804132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:35.086905956 CET4980480192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:35.087605000 CET8049817132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:35.087763071 CET4981780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:35.087902069 CET4981780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:35.092757940 CET8049817132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:35.935523987 CET8049817132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:35.952965021 CET49822443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:35.953010082 CET44349822104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:35.953355074 CET49822443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:35.953355074 CET49822443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:35.953397989 CET44349822104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:35.992569923 CET4981780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:36.430030107 CET44349822104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:36.439883947 CET49822443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:36.439907074 CET44349822104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:36.589730024 CET44349822104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:36.589843035 CET44349822104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:36.589885950 CET49822443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:36.590462923 CET49822443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:36.595714092 CET4981780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:36.596806049 CET4982780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:36.600692987 CET8049817132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:36.600761890 CET4981780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:36.601701975 CET8049827132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:36.602073908 CET4982780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:36.602184057 CET4982780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:36.606930971 CET8049827132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:37.419583082 CET8049827132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:37.421188116 CET49832443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:37.421258926 CET44349832104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:37.421348095 CET49832443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:37.421675920 CET49832443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:37.421695948 CET44349832104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:37.465893030 CET4982780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:37.878113985 CET44349832104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:37.879720926 CET49832443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:37.879753113 CET44349832104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:38.027466059 CET44349832104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:38.027534008 CET44349832104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:38.027777910 CET49832443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:38.028122902 CET49832443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:38.358845949 CET4977180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:38.358918905 CET4982780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:40.428220987 CET4984780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:40.433305979 CET8049847132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:40.433386087 CET4984780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:40.433660030 CET4984780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:40.438466072 CET8049847132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:41.265412092 CET8049847132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:41.272036076 CET4984780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:41.277009964 CET8049847132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:41.549546957 CET8049847132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:41.601938009 CET4984780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:41.789104939 CET49858443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:41.789145947 CET44349858104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:41.789213896 CET49858443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:41.794604063 CET49858443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:41.794636011 CET44349858104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:42.417434931 CET44349858104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:42.417521954 CET49858443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:42.419122934 CET49858443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:42.419133902 CET44349858104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:42.419408083 CET44349858104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:42.461328983 CET49858443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:42.472414017 CET49858443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:42.515328884 CET44349858104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:42.595597029 CET44349858104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:42.595660925 CET44349858104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:42.595716953 CET49858443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:42.600065947 CET49858443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:42.604892969 CET4984780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:42.609658003 CET8049847132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:43.066503048 CET8049847132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:43.069510937 CET49864443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:43.069549084 CET44349864104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:43.069710016 CET49864443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:43.070055008 CET49864443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:43.070065022 CET44349864104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:43.117647886 CET4984780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:43.568994999 CET44349864104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:43.592784882 CET49864443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:43.592807055 CET44349864104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:43.730192900 CET44349864104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:43.730278015 CET44349864104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:43.730355978 CET49864443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:43.730940104 CET49864443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:43.734833002 CET4984780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:43.736119032 CET4986880192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:43.739821911 CET8049847132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:43.739875078 CET4984780192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:43.740951061 CET8049868132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:43.741024971 CET4986880192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:43.741123915 CET4986880192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:43.745938063 CET8049868132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:44.901215076 CET8049868132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:44.902920961 CET49874443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:44.902961016 CET44349874104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:44.903018951 CET49874443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:44.903465033 CET49874443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:44.903477907 CET44349874104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:44.945693970 CET4986880192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:45.420782089 CET44349874104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:45.422967911 CET49874443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:45.423017025 CET44349874104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:45.546370029 CET44349874104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:45.546432018 CET44349874104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:45.546519041 CET49874443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:45.547142982 CET49874443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:45.553390980 CET4987880192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:45.558234930 CET8049878132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:45.558312893 CET4987880192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:45.558459044 CET4987880192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:45.563281059 CET8049878132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:46.479726076 CET8049878132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:46.481188059 CET49885443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:46.481249094 CET44349885104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:46.481415987 CET49885443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:46.481865883 CET49885443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:46.481879950 CET44349885104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:46.523843050 CET4987880192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:47.074899912 CET44349885104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:47.101154089 CET49885443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:47.101180077 CET44349885104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:47.319861889 CET44349885104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:47.319931030 CET44349885104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:47.320009947 CET49885443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:47.327653885 CET49885443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:47.644615889 CET4987880192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:47.645944118 CET4988980192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:47.649743080 CET8049878132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:47.649792910 CET4987880192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:47.650790930 CET8049889132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:47.650876045 CET4988980192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:47.651119947 CET4988980192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:47.655936003 CET8049889132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:48.791492939 CET8049889132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:48.792915106 CET49895443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:48.792973042 CET44349895104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:48.793314934 CET49895443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:48.793608904 CET49895443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:48.793623924 CET44349895104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:48.836401939 CET4988980192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:49.274574041 CET44349895104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:49.276344061 CET49895443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:49.276367903 CET44349895104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:49.410695076 CET44349895104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:49.410763979 CET44349895104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:49.411092997 CET49895443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:49.411499023 CET49895443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:49.415760040 CET4988980192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:49.420819998 CET8049889132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:49.420855045 CET4990180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:49.420978069 CET4988980192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:49.425677061 CET8049901132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:49.425863981 CET4990180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:49.425863981 CET4990180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:49.430670977 CET8049901132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:50.261837959 CET8049901132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:50.288491964 CET49907443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:50.288558960 CET44349907104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:50.288757086 CET49907443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:50.298626900 CET49907443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:50.298671007 CET44349907104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:50.305068016 CET4990180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:50.752140045 CET44349907104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:50.754086018 CET49907443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:50.754132986 CET44349907104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:50.879574060 CET44349907104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:50.879741907 CET44349907104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:50.879800081 CET49907443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:50.880310059 CET49907443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:50.884500980 CET4990180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:50.885914087 CET4991380192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:50.889481068 CET8049901132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:50.889539003 CET4990180192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:50.890671968 CET8049913132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:50.890737057 CET4991380192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:50.890914917 CET4991380192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:50.895698071 CET8049913132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:51.714534998 CET8049913132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:51.719341040 CET49919443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:51.719386101 CET44349919104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:51.723784924 CET49919443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:51.723784924 CET49919443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:51.723829031 CET44349919104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:51.760094881 CET4991380192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:52.186577082 CET44349919104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:52.188477993 CET49919443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:52.188520908 CET44349919104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:52.351739883 CET44349919104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:52.351805925 CET44349919104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:52.353030920 CET49919443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:52.355426073 CET49919443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:52.358367920 CET4991380192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:52.358371019 CET4992580192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:52.363229990 CET8049925132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:52.363323927 CET8049913132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:52.363410950 CET4991380192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:52.363414049 CET4992580192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:52.363627911 CET4992580192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:52.368375063 CET8049925132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:53.291182041 CET8049925132.226.8.169192.168.2.10
                                                                Jan 11, 2025 01:37:53.298579931 CET49931443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:53.298628092 CET44349931104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:53.298768044 CET49931443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:53.300736904 CET49931443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:53.300750017 CET44349931104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:53.336349964 CET4992580192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:53.811831951 CET44349931104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:53.830661058 CET49931443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:53.830688953 CET44349931104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:53.956568003 CET44349931104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:53.956727982 CET44349931104.21.64.1192.168.2.10
                                                                Jan 11, 2025 01:37:53.956800938 CET49931443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:53.957320929 CET49931443192.168.2.10104.21.64.1
                                                                Jan 11, 2025 01:37:54.079540968 CET4992580192.168.2.10132.226.8.169
                                                                Jan 11, 2025 01:37:54.079607010 CET4986880192.168.2.10132.226.8.169

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 11, 2025 01:37:26.168595076 CET5792353192.168.2.101.1.1.1
                                                                Jan 11, 2025 01:37:26.175434113 CET53579231.1.1.1192.168.2.10
                                                                Jan 11, 2025 01:37:27.456496000 CET5239353192.168.2.101.1.1.1
                                                                Jan 11, 2025 01:37:27.463522911 CET53523931.1.1.1192.168.2.10

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Jan 11, 2025 01:37:26.168595076 CET192.168.2.101.1.1.10xc73eStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                Jan 11, 2025 01:37:27.456496000 CET192.168.2.101.1.1.10xfccdStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Jan 11, 2025 01:37:26.175434113 CET1.1.1.1192.168.2.100xc73eNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                Jan 11, 2025 01:37:26.175434113 CET1.1.1.1192.168.2.100xc73eNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 01:37:26.175434113 CET1.1.1.1192.168.2.100xc73eNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 01:37:26.175434113 CET1.1.1.1192.168.2.100xc73eNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 01:37:26.175434113 CET1.1.1.1192.168.2.100xc73eNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 01:37:26.175434113 CET1.1.1.1192.168.2.100xc73eNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 01:37:27.463522911 CET1.1.1.1192.168.2.100xfccdNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 01:37:27.463522911 CET1.1.1.1192.168.2.100xfccdNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 01:37:27.463522911 CET1.1.1.1192.168.2.100xfccdNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 01:37:27.463522911 CET1.1.1.1192.168.2.100xfccdNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 01:37:27.463522911 CET1.1.1.1192.168.2.100xfccdNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 01:37:27.463522911 CET1.1.1.1192.168.2.100xfccdNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 01:37:27.463522911 CET1.1.1.1192.168.2.100xfccdNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • reallyfreegeoip.org
                                                                • checkip.dyndns.org

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.1049750132.226.8.169801824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:26.188513041 CET151OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Connection: Keep-Alive
                                                                Jan 11, 2025 01:37:27.037596941 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:26 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                Jan 11, 2025 01:37:27.044996023 CET127OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Jan 11, 2025 01:37:27.348889112 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:27 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                Jan 11, 2025 01:37:28.162542105 CET127OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Jan 11, 2025 01:37:28.465300083 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:28 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.1049771132.226.8.169801824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:29.096544027 CET127OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Jan 11, 2025 01:37:29.912506104 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:29 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.1049781132.226.8.169801824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:30.581552982 CET151OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Connection: Keep-Alive
                                                                Jan 11, 2025 01:37:31.546086073 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:31 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.1049794132.226.8.169801824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:32.148559093 CET151OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Connection: Keep-Alive
                                                                Jan 11, 2025 01:37:32.983073950 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:32 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.1049804132.226.8.169801824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:33.637880087 CET151OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Connection: Keep-Alive
                                                                Jan 11, 2025 01:37:34.466528893 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:34 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.1049817132.226.8.169801824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:35.087902069 CET151OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Connection: Keep-Alive
                                                                Jan 11, 2025 01:37:35.935523987 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:35 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.1049827132.226.8.169801824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:36.602184057 CET151OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Connection: Keep-Alive
                                                                Jan 11, 2025 01:37:37.419583082 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:37 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                7192.168.2.1049847132.226.8.169808128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:40.433660030 CET151OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Connection: Keep-Alive
                                                                Jan 11, 2025 01:37:41.265412092 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:41 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                Jan 11, 2025 01:37:41.272036076 CET127OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Jan 11, 2025 01:37:41.549546957 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:41 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                Jan 11, 2025 01:37:42.604892969 CET127OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Jan 11, 2025 01:37:43.066503048 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:42 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                8192.168.2.1049868132.226.8.169808128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:43.741123915 CET127OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Jan 11, 2025 01:37:44.901215076 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:44 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                9192.168.2.1049878132.226.8.169808128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:45.558459044 CET151OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Connection: Keep-Alive
                                                                Jan 11, 2025 01:37:46.479726076 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:46 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                10192.168.2.1049889132.226.8.169808128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:47.651119947 CET151OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Connection: Keep-Alive
                                                                Jan 11, 2025 01:37:48.791492939 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:48 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                11192.168.2.1049901132.226.8.169808128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:49.425863981 CET151OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Connection: Keep-Alive
                                                                Jan 11, 2025 01:37:50.261837959 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:50 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                12192.168.2.1049913132.226.8.169808128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:50.890914917 CET151OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Connection: Keep-Alive
                                                                Jan 11, 2025 01:37:51.714534998 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:51 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                13192.168.2.1049925132.226.8.169808128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 01:37:52.363627911 CET151OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                Host: checkip.dyndns.org
                                                                Connection: Keep-Alive
                                                                Jan 11, 2025 01:37:53.291182041 CET273INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:53 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 104
                                                                Connection: keep-alive
                                                                Cache-Control: no-cache
                                                                Pragma: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.1049759104.21.64.14431824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:28 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                Connection: Keep-Alive
                                                                2025-01-11 00:37:28 UTC855INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:28 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870637
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RhjmSTRwId8hrmojJAmrW3UMgGPTI5rsVWK2YFWDHxCrKZU71XOMLZi2U9twT5%2BhLWC83AV1j4r1rK0JbKtuTbsUtya%2BUPXG7eq4vGdLE4t9bu6AJWsAZ4vrJU%2BqJSi6OM8MY2mn"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d6a2693b42e9-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1641&min_rtt=1625&rtt_var=643&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1660034&cwnd=240&unsent_bytes=0&cid=166033e33527272c&ts=213&x=0"
                                                                2025-01-11 00:37:28 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.1049766104.21.64.14431824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:28 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                2025-01-11 00:37:29 UTC853INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:29 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870638
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eYDz6y6knz3kg5KnIhIWjsYUAyC46vAI5M71N99jv9TEMR%2F0HSHc2xrG3aEtqZvf4fMCAwYNSfkFrOzrtACISt13vkZ7m35hGu2vJ2e%2BPmAwTvhBvoPZ3Wq8bQApDJzqZtJD27ry"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d6a86a844414-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1680&min_rtt=1676&rtt_var=637&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1705607&cwnd=180&unsent_bytes=0&cid=caa4a5bb3ab52b90&ts=145&x=0"
                                                                2025-01-11 00:37:29 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.1049777104.21.64.14431824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:30 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                2025-01-11 00:37:30 UTC854INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:30 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870639
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a1bt1fOj5HVRt05bqaI4IqNhoYniynJHkoqTpnA7vpXh5YbELV0xOTOy%2BGCsJq7YG96A6DopKIVX3GyviRNXwrwA8Wf7AqYDRNMMf9Paf%2BHVXMKBcaQYyyEbOSMAaTe8N3KET316"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d6b1a904de95-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2369&min_rtt=1701&rtt_var=1115&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1716637&cwnd=243&unsent_bytes=0&cid=2a01cde22f842d20&ts=155&x=0"
                                                                2025-01-11 00:37:30 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.1049789104.21.64.14431824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:32 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                2025-01-11 00:37:32 UTC853INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:32 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870641
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hc0qIKQFi8%2FwFLwScI9iC5VPDgpbRqoAB82SyX5NhzUxdKSolRnsNVFuECnOveOz%2BiB7YWctGFuXYv2EOqz5xKT0RSnf2ZPhj9hbh1D28O1JDquipfPqmFccjSxpntDSZq0g2bnn"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d6bb8ebede95-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1667&min_rtt=1655&rtt_var=645&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1663817&cwnd=243&unsent_bytes=0&cid=7cc6b2736c527fbe&ts=137&x=0"
                                                                2025-01-11 00:37:32 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.1049797104.21.64.14431824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:33 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                2025-01-11 00:37:33 UTC859INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:33 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870642
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XYp%2FefpCdSVA6AhjH1QC%2Bg%2BkDLRsCMO1bv7zL6jvgAqzepAqNNiczbDZI22EWCMRto%2FgvKSXlp8Z0NxXnYBnOUymsnexUgfucpNmau%2F7mgNYfgrnPuLuoDBlSBvETz0okbb6k6at"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d6c4bf4f8ca1-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1959&min_rtt=1916&rtt_var=749&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1524008&cwnd=168&unsent_bytes=0&cid=28a36fdc36cc4ac8&ts=166&x=0"
                                                                2025-01-11 00:37:33 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.1049811104.21.64.14431824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:34 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                2025-01-11 00:37:35 UTC859INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:35 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870644
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v5bqjZe1L2CooXzuOdIYYUUCu91wd25tA95BF%2B7J2prf4JHd%2B72fY8tZgOs0XnMmitC32TImKLI1x2t9TvQQxxeUHdXeHAtH6MsgSbpHOXpCLyFJ%2F%2FpSIu%2Bs7ydYMvVjcPBktcxB"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d6cdda22de95-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1703&rtt_var=643&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1696687&cwnd=243&unsent_bytes=0&cid=a314993446ac6780&ts=148&x=0"
                                                                2025-01-11 00:37:35 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.1049822104.21.64.14431824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:36 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                2025-01-11 00:37:36 UTC857INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:36 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870645
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tmao7%2Fn5upBWcG0FmO4tkRs1b8Fu8qV4BLpzxT3DVszlitwcWH2vXLeKZwRa69YHd5%2FX3rRKliUAvqCKY6NYLpJeQ47QgkPKL19UW2Z%2BAaPn0EFVdAyuogLBI9c3%2Fqpg3xYi9iUz"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d6d74cb87c6a-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2124&min_rtt=1947&rtt_var=1085&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=867240&cwnd=218&unsent_bytes=0&cid=91a81efc9440ae11&ts=167&x=0"
                                                                2025-01-11 00:37:36 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                7192.168.2.1049832104.21.64.14431824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:37 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                Connection: Keep-Alive
                                                                2025-01-11 00:37:38 UTC859INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:37 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870647
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ILxA3mf1KQvbMO1NoHIBwMhcZWyx346BbCSZ%2B5YzqGaQzzGdsgd3j2G6ATxiicDsdS6K%2Fu1Un7mZGWnXjomeEmZlGJLl6A2VIoxPs77gryyv%2BHZilBLi%2F3ticLka%2F3k4tLudosD7"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d6e04e0bc358-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1616&rtt_var=619&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1749550&cwnd=155&unsent_bytes=0&cid=44a85bd079b0261a&ts=156&x=0"
                                                                2025-01-11 00:37:38 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                8192.168.2.1049858104.21.64.14438128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:42 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                Connection: Keep-Alive
                                                                2025-01-11 00:37:42 UTC856INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:42 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870651
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O29Brcpog5FpjeLkJjg6hF0%2BvFfjoUdaWkfCVxZQ18v0VFJMKk5QT4h81pQrA5f6RFPcCylReFJjDqhMZKOpkVnykWd4XKiaamFRZloZJcbyfMeBUEbGYUYXgLddQXrYRh%2FzPUWi"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d6fcdb264414-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=52903&min_rtt=27387&rtt_var=28302&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=106619&cwnd=180&unsent_bytes=0&cid=8a266e9683d28dc1&ts=208&x=0"
                                                                2025-01-11 00:37:42 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                9192.168.2.1049864104.21.64.14438128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:43 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                2025-01-11 00:37:43 UTC853INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:43 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870652
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=33lw22X6vhopnt1rWIZ2goab0tTJ9ElZbxufROApJq60lI497YRubO2T4Q8C%2FfHhvkziORee6wVIOG2laT27FcLPELLURmuBvWlXLqKbov96KiF1Z7g5Z8ruDNiwEgLVQmlRwu%2Fk"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d703dffa8ca1-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1944&min_rtt=1934&rtt_var=745&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1449851&cwnd=168&unsent_bytes=0&cid=9dc3c3f18174f8e3&ts=143&x=0"
                                                                2025-01-11 00:37:43 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                10192.168.2.1049874104.21.64.14438128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:45 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                2025-01-11 00:37:45 UTC855INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:45 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870654
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FjLYJadsBi4wb8673DdY3b3DIZuJc6SA6mTyJR79aul7O3iDrUkHjCaK%2F4iMAb%2BbQAwDtQxzWS6Aw07nzSrMeN6O2VeUkOJMX9nJF9oZy63p9OHBI8a7LH1u5RQoSF6LRhg9kOQd"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d70f5d784414-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1653&rtt_var=651&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1640449&cwnd=180&unsent_bytes=0&cid=04500f23644b5159&ts=128&x=0"
                                                                2025-01-11 00:37:45 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                11192.168.2.1049885104.21.64.14438128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:47 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                Connection: Keep-Alive
                                                                2025-01-11 00:37:47 UTC854INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:47 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870656
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2yzv36RSn8Oy9ax7C1piObR7FQGfFmd4A%2BG8JymJCmG7GEQQB3J1Ve7ZxHZcbMTHl7YubTgWTaTCsbpBjETipKhDrzv7sVcDG97uB5eFTsxLZuTwGs4dAw6nyf1lkOI8vTDm6rPq"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d71a4b0a4414-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=28513&min_rtt=1695&rtt_var=16624&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1722713&cwnd=180&unsent_bytes=0&cid=3c39f0b50555106d&ts=231&x=0"
                                                                2025-01-11 00:37:47 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                12192.168.2.1049895104.21.64.14438128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:49 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                Connection: Keep-Alive
                                                                2025-01-11 00:37:49 UTC863INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:49 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870658
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j57osn88AsXg2LgaFX5AI45QEU7q%2B1P%2F0R%2BC4IB1%2FqhhzzQwA%2B2h2ycrEDfpVpOcpYWSe1yI9ItyppT233TYOfaxeRcxtTDl7QjSyia9qvKoPzQNBAESW8bUfs15H9fT84%2F%2BOofw"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d7277871de95-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1647&min_rtt=1643&rtt_var=625&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1738095&cwnd=243&unsent_bytes=0&cid=73282173a18d9e5c&ts=139&x=0"
                                                                2025-01-11 00:37:49 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                13192.168.2.1049907104.21.64.14438128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:50 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                2025-01-11 00:37:50 UTC859INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:50 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870659
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=92gOA%2Fqoap3Am3A2jIJzNdrJPRZknWK1cSdnO7nt1wT7TU0UgTVS%2F8iNbR7ObfkOPiv%2F3QoVFLrJxhky4RuFYpkrMQ%2FYo4L7acUFK9KN10qlYDA9bMk4GxyYfy0cyE%2FfOMZGaoz5"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d730ae298ca1-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2007&min_rtt=1999&rtt_var=766&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1412675&cwnd=168&unsent_bytes=0&cid=67591d18d9be2a03&ts=130&x=0"
                                                                2025-01-11 00:37:50 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                14192.168.2.1049919104.21.64.14438128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:52 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                Connection: Keep-Alive
                                                                2025-01-11 00:37:52 UTC856INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:52 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870661
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kwVi1snkr40gJ98v5H9YBvhJ0AYbksFDJF6zf7dxAvpnibdHUbUhWhIMMs%2FtlkWvPQ6UO60zuJI0CCC%2BcuyQs%2BubZ7qtTpKLD7oXelqyjAfqQcKNIP065MTODdesj%2F0J8aDt8lUI"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d739b8728ca1-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1966&min_rtt=1966&rtt_var=983&sent=5&recv=7&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=458254&cwnd=168&unsent_bytes=0&cid=f51fe57c94da8319&ts=157&x=0"
                                                                2025-01-11 00:37:52 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                15192.168.2.1049931104.21.64.14438128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-01-11 00:37:53 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                Host: reallyfreegeoip.org
                                                                2025-01-11 00:37:53 UTC861INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 00:37:53 GMT
                                                                Content-Type: text/xml
                                                                Content-Length: 362
                                                                Connection: close
                                                                Age: 1870663
                                                                Cache-Control: max-age=31536000
                                                                cf-cache-status: HIT
                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p1JTM1Rf%2FVNXs501ZHTWtYUBV3Ses2cCUZ1GK0Rip6TAsH6MJA%2BTKQncxPhPg4u%2B0EKNMS2w%2FcZJB3x2W0aH3iRlBbBpFGOHBl0xKwYF%2BD4yZ1Yd7IFJLh5YLENQagIgrCV%2FqakA"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9000d743ddb37c6a-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2022&min_rtt=2021&rtt_var=760&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1437007&cwnd=218&unsent_bytes=0&cid=03feaaf409a4547d&ts=149&x=0"
                                                                2025-01-11 00:37:53 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:5
                                                                Start time:19:37:16
                                                                Start date:10/01/2025
                                                                Path:C:\Users\user\Desktop\uVpytXGpQz.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\Desktop\uVpytXGpQz.exe"
                                                                Imagebase:0xca0000
                                                                File size:2'226'176 bytes
                                                                MD5 hash:022DBAA1DF24D488B03ECB058A521613
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:19:37:16
                                                                Start date:10/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff620390000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:19:37:16
                                                                Start date:10/01/2025
                                                                Path:C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe"
                                                                Imagebase:0xa0000
                                                                File size:558'080 bytes
                                                                MD5 hash:47310E2D76477F79641F8703027A60B0
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 63%, ReversingLabs
                                                                • Detection: 69%, Virustotal, Browse
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:19:37:17
                                                                Start date:10/01/2025
                                                                Path:C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\AppData\Local\Temp\EmbeddedExe2.exe"
                                                                Imagebase:0x7ff68eed0000
                                                                File size:1'663'264 bytes
                                                                MD5 hash:5EFEF6CC9CD24BAEEED71C1107FC32DF
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 0%, ReversingLabs
                                                                • Detection: 0%, Virustotal, Browse
                                                                Reputation:low
                                                                Has exited:false

                                                                General

                                                                Target ID:10
                                                                Start time:19:37:21
                                                                Start date:10/01/2025
                                                                Path:C:\Users\user\AppData\Local\poufs\caulds.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe"
                                                                Imagebase:0x520000
                                                                File size:558'080 bytes
                                                                MD5 hash:47310E2D76477F79641F8703027A60B0
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000A.00000002.1370886600.0000000001360000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                Antivirus matches:
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 63%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:19:37:25
                                                                Start date:10/01/2025
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Local\Temp\EmbeddedExe1.exe"
                                                                Imagebase:0x6a0000
                                                                File size:45'984 bytes
                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000B.00000002.1498792528.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.1502078806.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:19:37:33
                                                                Start date:10/01/2025
                                                                Path:C:\Windows\System32\wscript.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs"
                                                                Imagebase:0x7ff6002f0000
                                                                File size:170'496 bytes
                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:14
                                                                Start time:19:37:34
                                                                Start date:10/01/2025
                                                                Path:C:\Users\user\AppData\Local\poufs\caulds.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Local\poufs\caulds.exe"
                                                                Imagebase:0x520000
                                                                File size:558'080 bytes
                                                                MD5 hash:47310E2D76477F79641F8703027A60B0
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000E.00000002.1513404739.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:15
                                                                Start time:19:37:37
                                                                Start date:10/01/2025
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                Imagebase:0xd70000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:19:37:37
                                                                Start date:10/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff620390000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:17
                                                                Start time:19:37:38
                                                                Start date:10/01/2025
                                                                Path:C:\Windows\SysWOW64\choice.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:choice /C Y /N /D Y /T 3
                                                                Imagebase:0xef0000
                                                                File size:28'160 bytes
                                                                MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:18
                                                                Start time:19:37:39
                                                                Start date:10/01/2025
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Local\poufs\caulds.exe"
                                                                Imagebase:0x640000
                                                                File size:45'984 bytes
                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000012.00000002.1651176289.0000000002941000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:19
                                                                Start time:19:37:53
                                                                Start date:10/01/2025
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                Imagebase:0xd70000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:20
                                                                Start time:19:37:53
                                                                Start date:10/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff620390000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:21
                                                                Start time:19:37:53
                                                                Start date:10/01/2025
                                                                Path:C:\Windows\SysWOW64\choice.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:choice /C Y /N /D Y /T 3
                                                                Imagebase:0xef0000
                                                                File size:28'160 bytes
                                                                MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Executed Functions

                                                                  Function 00007FF7C10504A5 Relevance: 1.1, Instructions: 1133COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1288711311.00007FF7C1050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ff7c1050000_uVpytXGpQz.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6f2ff5c02287f3bc9812e4bfc3a4aa9f70f405d4822d2ba261b1fc3a1468fa22
                                                                  • Instruction ID: 35373c510f9e446f36fe7251d2905e487fe2d9efec048ca49c8316651e5b19bf
                                                                  • Opcode Fuzzy Hash: 6f2ff5c02287f3bc9812e4bfc3a4aa9f70f405d4822d2ba261b1fc3a1468fa22
                                                                  • Instruction Fuzzy Hash: B2715772E0DE8A4FE755BB2898657FDBBE0FF55320F45017AD04EC3186DE18A88187A1
                                                                  Function 00007FF7C10509CD Relevance: .1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1288711311.00007FF7C1050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ff7c1050000_uVpytXGpQz.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 91d10a61a5715c1948d5e2f24c21237c96fb617bf19d969ff28f7d9a17dd0eaf
                                                                  • Instruction ID: 7ddbcbc5938e984db66db0d755feb9fd62351a46ccff92b81e73989c477b7f2c
                                                                  • Opcode Fuzzy Hash: 91d10a61a5715c1948d5e2f24c21237c96fb617bf19d969ff28f7d9a17dd0eaf
                                                                  • Instruction Fuzzy Hash: B631A470908A8D8FDB81FF6898586ADBBF1FF5A311F4501BAE04DD3256DE289C41C791
                                                                  Function 00007FF7C1050488 Relevance: .1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1288711311.00007FF7C1050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ff7c1050000_uVpytXGpQz.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f01eb18a069015a5b05fc2195c2c3cc9da56e14af0b2740f62dfb353061dfebd
                                                                  • Instruction ID: f4fc59353e7867c8a93af795963814a289d5908e59235dcbca574f4d4a6e4261
                                                                  • Opcode Fuzzy Hash: f01eb18a069015a5b05fc2195c2c3cc9da56e14af0b2740f62dfb353061dfebd
                                                                  • Instruction Fuzzy Hash: 00215530A08D1D8FEB94FF689459AADB7F1FF98310F51023AE40ED3245DE34A8818B90
                                                                  Function 00007FF7C1050AC8 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.1288711311.00007FF7C1050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ff7c1050000_uVpytXGpQz.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7afa0621510359c434434ad054e93d77935b64b1c80d024306615eda51ecbac0
                                                                  • Instruction ID: 71cd9aedf374c40a2307f6968400ca6fe84a8f497cf0dada8e6b68fdd0baac7e
                                                                  • Opcode Fuzzy Hash: 7afa0621510359c434434ad054e93d77935b64b1c80d024306615eda51ecbac0
                                                                  • Instruction Fuzzy Hash: C0E0CD35508A4C5FCB00AB59E8005C5BB65FE89318F00029EE45DC3182C7219565C795

                                                                  Execution Graph

                                                                  Execution Coverage:3.7%
                                                                  Dynamic/Decrypted Code Coverage:0.4%
                                                                  Signature Coverage:8.3%
                                                                  Total number of Nodes:2000
                                                                  Total number of Limit Nodes:56
                                                                  execution_graph 100959 e416f 100963 f5fe6 100959->100963 100961 e417a 100962 f5fe6 86 API calls 100961->100962 100962->100961 100964 f5ff3 100963->100964 100970 f6020 100963->100970 100965 f6022 100964->100965 100967 f6027 100964->100967 100964->100970 100972 f601a 100964->100972 101002 a9328 85 API calls Mailbox 100965->101002 100974 a9837 100967->100974 100970->100961 101001 a95a0 59 API calls _wcsstr 100972->101001 100975 a9851 100974->100975 100984 a984b 100974->100984 100976 a9899 100975->100976 100977 a9857 __itow 100975->100977 100982 df5d3 __i64tow 100975->100982 100983 df4da 100975->100983 101017 c3698 84 API calls 3 library calls 100976->101017 101003 c0db6 100977->101003 100981 a9871 100981->100984 101013 a7de1 100981->101013 100985 c0db6 Mailbox 59 API calls 100983->100985 100990 df552 Mailbox _wcscpy 100983->100990 100992 a7b2e 100984->100992 100987 df51f 100985->100987 100988 c0db6 Mailbox 59 API calls 100987->100988 100989 df545 100988->100989 100989->100990 100991 a7de1 59 API calls 100989->100991 101018 c3698 84 API calls 3 library calls 100990->101018 100991->100990 100993 dec6b 100992->100993 100994 a7b40 100992->100994 101053 f7bdb 59 API calls _memmove 100993->101053 101047 a7a51 100994->101047 100997 a7b4c 100997->100970 100998 dec75 101054 a8047 100998->101054 101000 dec7d Mailbox 101001->100970 101002->100967 101005 c0dbe 101003->101005 101006 c0dd8 101005->101006 101008 c0ddc std::exception::exception 101005->101008 101019 c571c 101005->101019 101036 c33a1 RtlDecodePointer 101005->101036 101006->100981 101037 c859b RaiseException 101008->101037 101010 c0e06 101038 c84d1 58 API calls _free 101010->101038 101012 c0e18 101012->100981 101014 a7df0 __NMSG_WRITE _memmove 101013->101014 101015 c0db6 Mailbox 59 API calls 101014->101015 101016 a7e2e 101015->101016 101016->100984 101017->100977 101018->100982 101020 c5797 101019->101020 101024 c5728 101019->101024 101045 c33a1 RtlDecodePointer 101020->101045 101022 c579d 101046 c8b28 58 API calls __getptd_noexit 101022->101046 101026 c5733 101024->101026 101027 c575b RtlAllocateHeap 101024->101027 101030 c5783 101024->101030 101034 c5781 101024->101034 101042 c33a1 RtlDecodePointer 101024->101042 101026->101024 101039 ca16b 58 API calls __NMSG_WRITE 101026->101039 101040 ca1c8 58 API calls 5 library calls 101026->101040 101041 c309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101026->101041 101027->101024 101028 c578f 101027->101028 101028->101005 101043 c8b28 58 API calls __getptd_noexit 101030->101043 101044 c8b28 58 API calls __getptd_noexit 101034->101044 101036->101005 101037->101010 101038->101012 101039->101026 101040->101026 101042->101024 101043->101034 101044->101028 101045->101022 101046->101028 101048 a7a5f 101047->101048 101050 a7a85 _memmove 101047->101050 101049 c0db6 Mailbox 59 API calls 101048->101049 101048->101050 101051 a7ad4 101049->101051 101050->100997 101052 c0db6 Mailbox 59 API calls 101051->101052 101052->101050 101053->100998 101055 a805a 101054->101055 101056 a8052 101054->101056 101055->101000 101058 a7f77 59 API calls 2 library calls 101056->101058 101058->101055 101059 dfdfc 101090 aab30 Mailbox _memmove 101059->101090 101061 f617e Mailbox 59 API calls 101083 aa057 101061->101083 101063 c0db6 59 API calls Mailbox 101063->101090 101065 ab525 101257 109e4a 90 API calls 4 library calls 101065->101257 101067 e0055 101256 109e4a 90 API calls 4 library calls 101067->101256 101069 ab475 101076 a8047 59 API calls 101069->101076 101072 c0db6 59 API calls Mailbox 101087 a9f37 Mailbox 101072->101087 101073 e0064 101074 ab47a 101074->101067 101088 e09e5 101074->101088 101076->101083 101079 a8047 59 API calls 101079->101087 101080 f6e8f 59 API calls 101080->101087 101081 a7667 59 API calls 101081->101087 101082 c2d40 67 API calls __cinit 101082->101087 101084 a7de1 59 API calls 101084->101090 101085 e09d6 101260 109e4a 90 API calls 4 library calls 101085->101260 101087->101067 101087->101069 101087->101072 101087->101074 101087->101079 101087->101080 101087->101081 101087->101082 101087->101083 101087->101085 101089 aa55a 101087->101089 101108 ab900 101087->101108 101235 ac8c0 332 API calls 2 library calls 101087->101235 101261 109e4a 90 API calls 4 library calls 101088->101261 101259 109e4a 90 API calls 4 library calls 101089->101259 101090->101063 101090->101065 101090->101083 101090->101084 101090->101087 101095 e086a 101090->101095 101097 e0878 101090->101097 101099 e085c 101090->101099 101100 ab21c 101090->101100 101104 ab2b6 101090->101104 101105 f6e8f 59 API calls 101090->101105 101124 a9ea0 101090->101124 101148 11df37 101090->101148 101151 11df23 101090->101151 101154 11c2e0 101090->101154 101186 107956 101090->101186 101192 11bc6b 101090->101192 101232 f617e 101090->101232 101236 a9c90 101090->101236 101255 11c193 86 API calls 2 library calls 101090->101255 101096 a9c90 Mailbox 59 API calls 101095->101096 101096->101099 101258 109e4a 90 API calls 4 library calls 101097->101258 101099->101061 101099->101083 101241 a9d3c 101100->101241 101102 ab22d 101103 a9d3c 60 API calls 101102->101103 101103->101104 101254 af6a3 332 API calls 101104->101254 101105->101090 101109 ab91a 101108->101109 101113 abac7 101108->101113 101110 abf81 101109->101110 101111 abaab 101109->101111 101109->101113 101114 ab9fc 101109->101114 101110->101111 101266 a94dc 59 API calls __gmtime64_s 101110->101266 101111->101087 101113->101110 101113->101111 101118 abb46 101113->101118 101121 aba8b Mailbox 101113->101121 101114->101111 101114->101118 101119 aba38 101114->101119 101115 e1361 101115->101111 101264 c3d46 59 API calls __wtof_l 101115->101264 101118->101111 101118->101115 101118->101121 101263 f6e8f 59 API calls 101118->101263 101119->101111 101119->101121 101123 e11b4 101119->101123 101121->101087 101121->101111 101121->101115 101265 a8cd4 59 API calls Mailbox 101121->101265 101123->101111 101262 c3d46 59 API calls __wtof_l 101123->101262 101125 a9ebf 101124->101125 101138 a9eed Mailbox 101124->101138 101126 c0db6 Mailbox 59 API calls 101125->101126 101126->101138 101127 ab475 101128 a8047 59 API calls 101127->101128 101139 aa057 101128->101139 101129 ab47a 101130 e09e5 101129->101130 101131 e0055 101129->101131 101271 109e4a 90 API calls 4 library calls 101130->101271 101268 109e4a 90 API calls 4 library calls 101131->101268 101132 a7667 59 API calls 101132->101138 101133 ab900 60 API calls 101133->101138 101136 c0db6 59 API calls Mailbox 101136->101138 101137 e0064 101137->101090 101138->101127 101138->101129 101138->101131 101138->101132 101138->101133 101138->101136 101138->101139 101142 a8047 59 API calls 101138->101142 101143 c2d40 67 API calls __cinit 101138->101143 101144 f6e8f 59 API calls 101138->101144 101145 e09d6 101138->101145 101147 aa55a 101138->101147 101267 ac8c0 332 API calls 2 library calls 101138->101267 101139->101090 101142->101138 101143->101138 101144->101138 101270 109e4a 90 API calls 4 library calls 101145->101270 101269 109e4a 90 API calls 4 library calls 101147->101269 101272 11cadd 101148->101272 101150 11df47 101150->101090 101152 11cadd 131 API calls 101151->101152 101153 11df33 101152->101153 101153->101090 101155 a7667 59 API calls 101154->101155 101156 11c2f4 101155->101156 101157 a7667 59 API calls 101156->101157 101158 11c2fc 101157->101158 101159 a7667 59 API calls 101158->101159 101160 11c304 101159->101160 101161 a9837 85 API calls 101160->101161 101184 11c312 101161->101184 101162 a7bcc 59 API calls 101162->101184 101163 a7924 59 API calls 101163->101184 101164 11c4fb 101165 11c528 Mailbox 101164->101165 101420 a9a3c 59 API calls Mailbox 101164->101420 101165->101090 101167 11c4e2 101413 a7cab 101167->101413 101168 11c4fd 101171 a7cab 59 API calls 101168->101171 101169 a8047 59 API calls 101169->101184 101173 11c50c 101171->101173 101176 a7b2e 59 API calls 101173->101176 101174 a7e4f 59 API calls 101178 11c3a9 CharUpperBuffW 101174->101178 101175 a7b2e 59 API calls 101175->101164 101176->101164 101177 a7e4f 59 API calls 101179 11c469 CharUpperBuffW 101177->101179 101411 a843a 68 API calls 101178->101411 101412 ac5a7 69 API calls 2 library calls 101179->101412 101182 a7cab 59 API calls 101182->101184 101183 a9837 85 API calls 101183->101184 101184->101162 101184->101163 101184->101164 101184->101165 101184->101167 101184->101168 101184->101169 101184->101174 101184->101177 101184->101182 101184->101183 101185 a7b2e 59 API calls 101184->101185 101185->101184 101187 107962 101186->101187 101188 c0db6 Mailbox 59 API calls 101187->101188 101189 107970 101188->101189 101190 a7667 59 API calls 101189->101190 101191 10797e 101189->101191 101190->101191 101191->101090 101193 11bcb0 101192->101193 101194 11bc96 101192->101194 101427 11a213 59 API calls Mailbox 101193->101427 101426 109e4a 90 API calls 4 library calls 101194->101426 101197 11bcbb 101198 a9ea0 331 API calls 101197->101198 101199 11bd1c 101198->101199 101200 11bdae 101199->101200 101204 11bd5d 101199->101204 101225 11bca8 Mailbox 101199->101225 101201 11be04 101200->101201 101202 11bdb4 101200->101202 101203 a9837 85 API calls 101201->101203 101201->101225 101448 10791a 59 API calls 101202->101448 101205 11be16 101203->101205 101428 1072df 59 API calls Mailbox 101204->101428 101208 a7e4f 59 API calls 101205->101208 101211 11be3a CharUpperBuffW 101208->101211 101209 11bdd7 101449 a5d41 59 API calls Mailbox 101209->101449 101210 11bd8d 101429 af460 101210->101429 101215 11be54 101211->101215 101214 11bddf Mailbox 101450 afce0 101214->101450 101216 11bea7 101215->101216 101217 11be5b 101215->101217 101219 a9837 85 API calls 101216->101219 101530 1072df 59 API calls Mailbox 101217->101530 101220 11beaf 101219->101220 101531 a9e5d 60 API calls 101220->101531 101223 11be89 101224 af460 331 API calls 101223->101224 101224->101225 101225->101090 101226 11beb9 101226->101225 101227 a9837 85 API calls 101226->101227 101228 11bed4 101227->101228 101532 a5d41 59 API calls Mailbox 101228->101532 101230 11bee4 101231 afce0 331 API calls 101230->101231 101231->101225 103007 f60c0 101232->103007 101234 f618c 101234->101090 101235->101087 101238 a9c9b 101236->101238 101237 a9cd2 101237->101090 101238->101237 103012 a8cd4 59 API calls Mailbox 101238->103012 101240 a9cfd 101240->101090 101242 a9d4a 101241->101242 101249 a9d78 Mailbox 101241->101249 101243 a9d50 Mailbox 101242->101243 101244 a9d9d 101242->101244 101245 a9d64 101243->101245 101252 dfa0f 101243->101252 101246 a8047 59 API calls 101244->101246 101247 a9d6f 101245->101247 101248 a9dcc 101245->101248 101245->101249 101246->101249 101247->101249 101250 df9e6 VariantClear 101247->101250 101248->101249 103013 a8cd4 59 API calls Mailbox 101248->103013 101249->101102 101250->101249 101252->101249 103014 f6e8f 59 API calls 101252->103014 101254->101065 101255->101090 101256->101073 101257->101099 101258->101099 101259->101083 101260->101088 101261->101083 101262->101123 101263->101121 101264->101111 101265->101121 101266->101111 101267->101138 101268->101137 101269->101139 101270->101130 101271->101139 101273 a9837 85 API calls 101272->101273 101274 11cb1a 101273->101274 101278 11cb61 Mailbox 101274->101278 101310 11d7a5 101274->101310 101276 11cbb2 Mailbox 101276->101278 101283 a9837 85 API calls 101276->101283 101296 11cdb9 101276->101296 101342 11fbce 59 API calls 2 library calls 101276->101342 101343 11cfdf 61 API calls 2 library calls 101276->101343 101277 11cf2e 101359 11d8c8 93 API calls Mailbox 101277->101359 101278->101150 101281 11cf3d 101282 11cdc7 101281->101282 101284 11cf49 101281->101284 101323 11c96e 101282->101323 101283->101276 101284->101278 101289 11ce00 101338 c0c08 101289->101338 101292 11ce33 101345 a92ce 101292->101345 101293 11ce1a 101344 109e4a 90 API calls 4 library calls 101293->101344 101296->101277 101296->101282 101298 11ce25 GetCurrentProcess TerminateProcess 101298->101292 101302 11cfa4 101302->101278 101306 11cfb8 FreeLibrary 101302->101306 101303 11ce6b 101357 11d649 108 API calls _free 101303->101357 101306->101278 101308 a9d3c 60 API calls 101309 11ce7c 101308->101309 101309->101302 101309->101308 101358 a8d40 59 API calls Mailbox 101309->101358 101360 11d649 108 API calls _free 101309->101360 101361 a7e4f 101310->101361 101312 11d7c0 CharLowerBuffW 101365 ff167 101312->101365 101319 11d810 101390 a7d2c 101319->101390 101321 11d81c Mailbox 101322 11d858 Mailbox 101321->101322 101394 11cfdf 61 API calls 2 library calls 101321->101394 101322->101276 101324 11c9de 101323->101324 101325 11c989 101323->101325 101329 11da50 101324->101329 101326 c0db6 Mailbox 59 API calls 101325->101326 101328 11c9ab 101326->101328 101327 c0db6 Mailbox 59 API calls 101327->101328 101328->101324 101328->101327 101330 11dc79 Mailbox 101329->101330 101337 11da73 _strcat _wcscpy __NMSG_WRITE 101329->101337 101330->101289 101331 a9b3c 59 API calls 101331->101337 101332 a9b98 59 API calls 101332->101337 101333 a9be6 59 API calls 101333->101337 101334 a9837 85 API calls 101334->101337 101335 c571c 58 API calls __crtCompareStringA_stat 101335->101337 101337->101330 101337->101331 101337->101332 101337->101333 101337->101334 101337->101335 101401 105887 61 API calls 2 library calls 101337->101401 101339 c0c1d 101338->101339 101340 c0cb5 VirtualProtect 101339->101340 101341 c0c83 101339->101341 101340->101341 101341->101292 101341->101293 101342->101276 101343->101276 101344->101298 101346 a92d6 101345->101346 101347 c0db6 Mailbox 59 API calls 101346->101347 101348 a92e4 101347->101348 101349 a92f0 101348->101349 101402 a91fc 59 API calls Mailbox 101348->101402 101351 a9050 101349->101351 101403 a9160 101351->101403 101353 a905f 101354 c0db6 Mailbox 59 API calls 101353->101354 101355 a90fb 101353->101355 101354->101355 101355->101309 101356 a8d40 59 API calls Mailbox 101355->101356 101356->101303 101357->101309 101358->101309 101359->101281 101360->101309 101362 a7e62 101361->101362 101364 a7e5f _memmove 101361->101364 101363 c0db6 Mailbox 59 API calls 101362->101363 101363->101364 101364->101312 101366 ff192 __NMSG_WRITE 101365->101366 101367 ff1d1 101366->101367 101370 ff1c7 101366->101370 101371 ff278 101366->101371 101367->101321 101372 a7667 101367->101372 101370->101367 101395 a78c4 61 API calls 101370->101395 101371->101367 101396 a78c4 61 API calls 101371->101396 101373 c0db6 Mailbox 59 API calls 101372->101373 101374 a7688 101373->101374 101375 c0db6 Mailbox 59 API calls 101374->101375 101376 a7696 101375->101376 101377 a784b 101376->101377 101378 a785a 101377->101378 101379 a78b7 101377->101379 101378->101379 101381 a7865 101378->101381 101380 a7d2c 59 API calls 101379->101380 101387 a7888 _memmove 101380->101387 101382 deb09 101381->101382 101383 a7880 101381->101383 101398 a8029 101382->101398 101397 a7f27 59 API calls Mailbox 101383->101397 101386 deb13 101388 c0db6 Mailbox 59 API calls 101386->101388 101387->101319 101389 deb33 101388->101389 101391 a7d3a 101390->101391 101393 a7d43 _memmove 101390->101393 101392 a7e4f 59 API calls 101391->101392 101391->101393 101392->101393 101393->101321 101394->101322 101395->101370 101396->101371 101397->101387 101399 c0db6 Mailbox 59 API calls 101398->101399 101400 a8033 101399->101400 101400->101386 101401->101337 101402->101349 101404 a9169 Mailbox 101403->101404 101405 df19f 101404->101405 101410 a9173 101404->101410 101406 c0db6 Mailbox 59 API calls 101405->101406 101408 df1ab 101406->101408 101407 a917a 101407->101353 101408->101408 101409 a9c90 Mailbox 59 API calls 101409->101410 101410->101407 101410->101409 101411->101184 101412->101184 101414 a7cbf 101413->101414 101415 ded4a 101413->101415 101421 a7c50 101414->101421 101416 a8029 59 API calls 101415->101416 101419 ded55 __NMSG_WRITE _memmove 101416->101419 101418 a7cca 101418->101175 101420->101165 101422 a7c5f __NMSG_WRITE 101421->101422 101423 a8029 59 API calls 101422->101423 101424 a7c70 _memmove 101422->101424 101425 ded07 _memmove 101423->101425 101424->101418 101426->101225 101427->101197 101428->101210 101430 af4ba 101429->101430 101431 af650 101429->101431 101432 e441e 101430->101432 101433 af4c6 101430->101433 101434 a7de1 59 API calls 101431->101434 101435 11bc6b 332 API calls 101432->101435 101631 af290 332 API calls 2 library calls 101433->101631 101440 af58c Mailbox 101434->101440 101437 e442c 101435->101437 101441 af630 101437->101441 101632 109e4a 90 API calls 4 library calls 101437->101632 101439 af4fd 101439->101437 101439->101440 101439->101441 101533 103c37 101440->101533 101536 11445a 101440->101536 101545 10cb7a 101440->101545 101625 a4e4a 101440->101625 101441->101225 101442 a9c90 Mailbox 59 API calls 101443 af5e3 101442->101443 101443->101441 101443->101442 101448->101209 101449->101214 102772 a8180 101450->102772 101452 afd3d 101453 b06f6 101452->101453 101454 e472d 101452->101454 102777 af234 101452->102777 102878 109e4a 90 API calls 4 library calls 101453->102878 102879 109e4a 90 API calls 4 library calls 101454->102879 101458 e4742 101459 afe3e 101460 e488d 101459->101460 101462 afe4c 101459->101462 102883 f66ec 59 API calls 2 library calls 101459->102883 101460->101458 101460->101462 102885 11a2d9 86 API calls Mailbox 101460->102885 101461 b0517 101468 c0db6 Mailbox 59 API calls 101461->101468 101470 e48f9 101462->101470 101516 e4b53 101462->101516 102781 a837c 101462->102781 101463 e47d7 101463->101458 102881 109e4a 90 API calls 4 library calls 101463->102881 101477 b0545 _memmove 101468->101477 101469 e4848 102884 f60ef 59 API calls 2 library calls 101469->102884 101478 e4917 101470->101478 102887 a85c0 101470->102887 101473 e4755 101473->101463 102880 af6a3 332 API calls 101473->102880 101475 e48b2 Mailbox 101475->101462 102886 f66ec 59 API calls 2 library calls 101475->102886 101485 c0db6 Mailbox 59 API calls 101477->101485 101484 e4928 101478->101484 101487 a85c0 59 API calls 101478->101487 101479 afea4 101488 e4ad6 101479->101488 101489 aff32 101479->101489 101524 b0179 Mailbox _memmove 101479->101524 101480 e486b 101481 a9ea0 332 API calls 101480->101481 101481->101460 101482 c0db6 59 API calls Mailbox 101492 afdd3 101482->101492 101484->101524 102895 f60ab 59 API calls Mailbox 101484->102895 101528 b0106 _memmove 101485->101528 101487->101484 102903 109ae7 60 API calls 101488->102903 101491 c0db6 Mailbox 59 API calls 101489->101491 101494 aff39 101491->101494 101492->101458 101492->101459 101492->101461 101492->101473 101492->101477 101492->101482 101495 a9ea0 332 API calls 101492->101495 101505 e480c 101492->101505 101494->101453 102788 b09d0 101494->102788 101495->101492 101496 e4a4d 101497 a9ea0 332 API calls 101496->101497 101499 e4a87 101497->101499 101499->101458 102898 a84c0 101499->102898 101501 affb2 101501->101453 101501->101477 101508 affe6 101501->101508 102882 109e4a 90 API calls 4 library calls 101505->102882 101507 e4ab2 102902 109e4a 90 API calls 4 library calls 101507->102902 101512 a8047 59 API calls 101508->101512 101514 b0007 101508->101514 101510 a9c90 Mailbox 59 API calls 101510->101528 101511 a9d3c 60 API calls 101511->101524 101512->101514 101513 b0398 101513->101225 101514->101453 101515 e4b24 101514->101515 101519 b004c 101514->101519 101517 a9d3c 60 API calls 101515->101517 101516->101458 102904 109e4a 90 API calls 4 library calls 101516->102904 101517->101516 101518 c0db6 59 API calls Mailbox 101518->101524 101519->101453 101519->101516 101520 b00d8 101519->101520 101521 a9d3c 60 API calls 101520->101521 101523 b00eb 101521->101523 101522 e4a1c 101525 c0db6 Mailbox 59 API calls 101522->101525 101523->101453 102865 a82df 101523->102865 101524->101453 101524->101496 101524->101507 101524->101511 101524->101513 101524->101518 101524->101522 102876 a8740 68 API calls __cinit 101524->102876 102877 a8660 68 API calls 101524->102877 102896 105937 68 API calls 101524->102896 102897 a89b3 69 API calls Mailbox 101524->102897 101525->101496 101528->101510 101528->101524 101529 b0162 101528->101529 101529->101225 101530->101223 101531->101226 101532->101230 101633 10445a GetFileAttributesW 101533->101633 101537 a9837 85 API calls 101536->101537 101538 114494 101537->101538 101637 a6240 101538->101637 101540 1144a4 101541 1144c9 101540->101541 101542 a9ea0 332 API calls 101540->101542 101544 1144cd 101541->101544 101662 a9a98 59 API calls Mailbox 101541->101662 101542->101541 101544->101443 101546 a7667 59 API calls 101545->101546 101547 10cbaf 101546->101547 101548 a7667 59 API calls 101547->101548 101549 10cbb8 101548->101549 101550 10cbcc 101549->101550 101869 a9b3c 59 API calls 101549->101869 101552 a9837 85 API calls 101550->101552 101553 10cbe9 101552->101553 101554 10ccea 101553->101554 101555 10cc0b 101553->101555 101624 10cd1a Mailbox 101553->101624 101682 a4ddd 101554->101682 101556 a9837 85 API calls 101555->101556 101559 10cc17 101556->101559 101561 a8047 59 API calls 101559->101561 101560 10cd16 101564 a7667 59 API calls 101560->101564 101560->101624 101562 10cc23 101561->101562 101567 10cc37 101562->101567 101568 10cc69 101562->101568 101563 a4ddd 136 API calls 101563->101560 101565 10cd4b 101564->101565 101566 a7667 59 API calls 101565->101566 101569 10cd54 101566->101569 101570 a8047 59 API calls 101567->101570 101571 a9837 85 API calls 101568->101571 101572 a7667 59 API calls 101569->101572 101573 10cc47 101570->101573 101574 10cc76 101571->101574 101575 10cd5d 101572->101575 101577 a7cab 59 API calls 101573->101577 101578 a8047 59 API calls 101574->101578 101576 a7667 59 API calls 101575->101576 101579 10cd66 101576->101579 101580 10cc51 101577->101580 101581 10cc82 101578->101581 101583 a9837 85 API calls 101579->101583 101584 a9837 85 API calls 101580->101584 101870 104a31 GetFileAttributesW 101581->101870 101586 10cd73 101583->101586 101587 10cc5d 101584->101587 101585 10cc8b 101588 10cc9e 101585->101588 101591 a79f2 59 API calls 101585->101591 101706 a459b 101586->101706 101590 a7b2e 59 API calls 101587->101590 101593 a9837 85 API calls 101588->101593 101599 10cca4 101588->101599 101590->101568 101591->101588 101592 10cd8e 101757 a79f2 101592->101757 101595 10cccb 101593->101595 101871 1037ef 75 API calls Mailbox 101595->101871 101598 10cdd1 101600 a8047 59 API calls 101598->101600 101599->101624 101602 10cddf 101600->101602 101601 a79f2 59 API calls 101603 10cdae 101601->101603 101604 a7b2e 59 API calls 101602->101604 101603->101598 101872 a7bcc 101603->101872 101605 10cded 101604->101605 101607 a7b2e 59 API calls 101605->101607 101609 10cdfb 101607->101609 101608 10cdc3 101610 a7bcc 59 API calls 101608->101610 101611 a7b2e 59 API calls 101609->101611 101610->101598 101612 10ce09 101611->101612 101613 a9837 85 API calls 101612->101613 101614 10ce15 101613->101614 101760 104071 101614->101760 101616 10ce26 101617 103c37 3 API calls 101616->101617 101618 10ce30 101617->101618 101619 a9837 85 API calls 101618->101619 101622 10ce61 101618->101622 101620 10ce4e 101619->101620 101814 109155 101620->101814 101623 a4e4a 84 API calls 101622->101623 101623->101624 101624->101443 101626 a4e54 101625->101626 101630 a4e5b 101625->101630 101627 c53a6 __fcloseall 83 API calls 101626->101627 101627->101630 101628 a4e6a 101628->101443 101629 a4e7b FreeLibrary 101629->101628 101630->101628 101630->101629 101631->101439 101632->101441 101634 103c3e 101633->101634 101635 104475 FindFirstFileW 101633->101635 101634->101443 101635->101634 101636 10448a FindClose 101635->101636 101636->101634 101663 a7a16 101637->101663 101639 a646a 101670 a750f 101639->101670 101641 a6484 Mailbox 101641->101540 101644 a6265 101644->101639 101645 a7d8c 59 API calls 101644->101645 101646 a6799 _memmove 101644->101646 101647 a750f 59 API calls 101644->101647 101648 ddff6 101644->101648 101655 ddf92 101644->101655 101659 a7e4f 59 API calls 101644->101659 101668 a5f6c 60 API calls 101644->101668 101669 a5d41 59 API calls Mailbox 101644->101669 101678 a5e72 60 API calls 101644->101678 101679 a7924 59 API calls 2 library calls 101644->101679 101645->101644 101681 ff8aa 92 API calls 4 library calls 101646->101681 101647->101644 101680 ff8aa 92 API calls 4 library calls 101648->101680 101651 de004 101653 a750f 59 API calls 101651->101653 101654 de01a 101653->101654 101654->101641 101656 a8029 59 API calls 101655->101656 101658 ddf9d 101656->101658 101661 c0db6 Mailbox 59 API calls 101658->101661 101660 a643b CharUpperBuffW 101659->101660 101660->101644 101661->101646 101662->101544 101664 c0db6 Mailbox 59 API calls 101663->101664 101665 a7a3b 101664->101665 101666 a8029 59 API calls 101665->101666 101667 a7a4a 101666->101667 101667->101644 101668->101644 101669->101644 101671 a75af 101670->101671 101674 a7522 _memmove 101670->101674 101673 c0db6 Mailbox 59 API calls 101671->101673 101672 c0db6 Mailbox 59 API calls 101675 a7529 101672->101675 101673->101674 101674->101672 101676 c0db6 Mailbox 59 API calls 101675->101676 101677 a7552 101675->101677 101676->101677 101677->101641 101678->101644 101679->101644 101680->101651 101681->101641 101881 a4bb5 101682->101881 101687 a4e08 LoadLibraryExW 101891 a4b6a 101687->101891 101688 dd8e6 101689 a4e4a 84 API calls 101688->101689 101691 dd8ed 101689->101691 101693 a4b6a 3 API calls 101691->101693 101695 dd8f5 101693->101695 101917 a4f0b 101695->101917 101696 a4e2f 101696->101695 101697 a4e3b 101696->101697 101698 a4e4a 84 API calls 101697->101698 101700 a4e40 101698->101700 101700->101560 101700->101563 101703 dd91c 101925 a4ec7 101703->101925 101707 a7667 59 API calls 101706->101707 101708 a45b1 101707->101708 101709 a7667 59 API calls 101708->101709 101710 a45b9 101709->101710 101711 a7667 59 API calls 101710->101711 101712 a45c1 101711->101712 101713 a7667 59 API calls 101712->101713 101714 a45c9 101713->101714 101715 a45fd 101714->101715 101716 dd4d2 101714->101716 101717 a784b 59 API calls 101715->101717 101718 a8047 59 API calls 101716->101718 101719 a460b 101717->101719 101720 dd4db 101718->101720 101721 a7d2c 59 API calls 101719->101721 102404 a7d8c 101720->102404 101723 a4615 101721->101723 101724 a784b 59 API calls 101723->101724 101725 a4640 101723->101725 101727 a4636 101724->101727 101728 a465f 101725->101728 101729 dd4fb 101725->101729 101743 a4680 101725->101743 101726 a784b 59 API calls 101730 a4691 101726->101730 101731 a7d2c 59 API calls 101727->101731 101733 a79f2 59 API calls 101728->101733 101732 dd5cb 101729->101732 101740 dd5b4 101729->101740 101751 dd532 101729->101751 101734 a46a3 101730->101734 101737 a8047 59 API calls 101730->101737 101731->101725 101735 a7bcc 59 API calls 101732->101735 101736 a4669 101733->101736 101739 a8047 59 API calls 101734->101739 101742 a46b3 101734->101742 101752 dd588 101735->101752 101738 a784b 59 API calls 101736->101738 101736->101743 101737->101734 101738->101743 101739->101742 101740->101732 101747 dd59f 101740->101747 101741 a46ba 101745 a8047 59 API calls 101741->101745 101754 a46c1 Mailbox 101741->101754 101742->101741 101744 a8047 59 API calls 101742->101744 101743->101726 101744->101741 101745->101754 101746 a79f2 59 API calls 101746->101752 101749 a7bcc 59 API calls 101747->101749 101748 dd590 101750 a7bcc 59 API calls 101748->101750 101749->101752 101750->101752 101751->101748 101755 dd57b 101751->101755 101752->101743 101752->101746 102408 a7924 59 API calls 2 library calls 101752->102408 101754->101592 101756 a7bcc 59 API calls 101755->101756 101756->101752 101758 a7e4f 59 API calls 101757->101758 101759 a79fd 101758->101759 101759->101598 101759->101601 101761 10408d 101760->101761 101762 1040a0 101761->101762 101763 104092 101761->101763 101765 a7667 59 API calls 101762->101765 101764 a8047 59 API calls 101763->101764 101766 10409b Mailbox 101764->101766 101767 1040a8 101765->101767 101766->101616 101768 a7667 59 API calls 101767->101768 101769 1040b0 101768->101769 101770 a7667 59 API calls 101769->101770 101771 1040bb 101770->101771 101772 a7667 59 API calls 101771->101772 101773 1040c3 101772->101773 101774 a7667 59 API calls 101773->101774 101775 1040cb 101774->101775 101776 a7667 59 API calls 101775->101776 101777 1040d3 101776->101777 101778 a7667 59 API calls 101777->101778 101779 1040db 101778->101779 101780 a7667 59 API calls 101779->101780 101781 1040e3 101780->101781 101782 a459b 59 API calls 101781->101782 101783 1040fa 101782->101783 101784 a459b 59 API calls 101783->101784 101785 104113 101784->101785 101786 a79f2 59 API calls 101785->101786 101787 10411f 101786->101787 101788 104132 101787->101788 101789 a7d2c 59 API calls 101787->101789 101790 a79f2 59 API calls 101788->101790 101789->101788 101791 10413b 101790->101791 101792 10414b 101791->101792 101793 a7d2c 59 API calls 101791->101793 101794 a8047 59 API calls 101792->101794 101793->101792 101795 104157 101794->101795 101796 a7b2e 59 API calls 101795->101796 101797 104163 101796->101797 102409 104223 59 API calls 101797->102409 101799 104172 102410 104223 59 API calls 101799->102410 101801 104185 101815 109162 __ftell_nolock 101814->101815 101816 c0db6 Mailbox 59 API calls 101815->101816 101817 1091bf 101816->101817 101818 a522e 59 API calls 101817->101818 101819 1091c9 101818->101819 101820 108f5f GetSystemTimeAsFileTime 101819->101820 101821 1091d4 101820->101821 101822 a4ee5 85 API calls 101821->101822 101823 1091e7 _wcscmp 101822->101823 101824 1092b8 101823->101824 101825 10920b 101823->101825 101826 109734 96 API calls 101824->101826 102441 109734 101825->102441 101830 109284 _wcscat 101826->101830 101831 1092c1 101830->101831 101832 a4f0b 74 API calls 101830->101832 101831->101622 101833 1092dd 101832->101833 101834 a4f0b 74 API calls 101833->101834 101836 1092ed 101834->101836 101835 109239 _wcscat _wcscpy 102448 c40fb 58 API calls __wsplitpath_helper 101835->102448 101837 a4f0b 74 API calls 101836->101837 101839 109308 101837->101839 101840 a4f0b 74 API calls 101839->101840 101841 109318 101840->101841 101842 a4f0b 74 API calls 101841->101842 101843 109333 101842->101843 101844 a4f0b 74 API calls 101843->101844 101845 109343 101844->101845 101846 a4f0b 74 API calls 101845->101846 101847 109353 101846->101847 101869->101550 101870->101585 101871->101599 101873 a7bd8 __NMSG_WRITE 101872->101873 101874 a7c45 101872->101874 101876 a7bee 101873->101876 101877 a7c13 101873->101877 101875 a7d2c 59 API calls 101874->101875 101880 a7bf6 _memmove 101875->101880 102771 a7f27 59 API calls Mailbox 101876->102771 101878 a8029 59 API calls 101877->101878 101878->101880 101880->101608 101930 a4c03 101881->101930 101884 a4bec FreeLibrary 101885 a4bf5 101884->101885 101888 c525b 101885->101888 101886 a4c03 2 API calls 101887 a4bdc 101886->101887 101887->101884 101887->101885 101934 c5270 101888->101934 101890 a4dfc 101890->101687 101890->101688 102142 a4c36 101891->102142 101894 a4c36 2 API calls 101897 a4b8f 101894->101897 101895 a4baa 101898 a4c70 101895->101898 101896 a4ba1 FreeLibrary 101896->101895 101897->101895 101897->101896 101899 c0db6 Mailbox 59 API calls 101898->101899 101900 a4c85 101899->101900 102146 a522e 101900->102146 101902 a4c91 _memmove 101903 a4d89 101902->101903 101904 a4dc1 101902->101904 101908 a4ccc 101902->101908 102149 a4e89 CreateStreamOnHGlobal 101903->102149 102160 10991b 95 API calls 101904->102160 101905 a4ec7 69 API calls 101914 a4cd5 101905->101914 101908->101905 101909 a4f0b 74 API calls 101909->101914 101911 a4d69 101911->101696 101912 dd8a7 101913 a4ee5 85 API calls 101912->101913 101915 dd8bb 101913->101915 101914->101909 101914->101911 101914->101912 102155 a4ee5 101914->102155 101916 a4f0b 74 API calls 101915->101916 101916->101911 101918 dd9cd 101917->101918 101919 a4f1d 101917->101919 102184 c55e2 101919->102184 101922 109109 102381 108f5f 101922->102381 101924 10911f 101924->101703 101926 a4ed6 101925->101926 101927 dd990 101925->101927 102386 c5c60 101926->102386 101929 a4ede 101931 a4bd0 101930->101931 101932 a4c0c LoadLibraryA 101930->101932 101931->101886 101931->101887 101932->101931 101933 a4c1d GetProcAddress 101932->101933 101933->101931 101936 c527c _wprintf 101934->101936 101935 c528f 101983 c8b28 58 API calls __getptd_noexit 101935->101983 101936->101935 101938 c52c0 101936->101938 101953 d04e8 101938->101953 101939 c5294 101984 c8db6 9 API calls __output_l 101939->101984 101942 c52c5 101943 c52ce 101942->101943 101944 c52db 101942->101944 101985 c8b28 58 API calls __getptd_noexit 101943->101985 101946 c5305 101944->101946 101947 c52e5 101944->101947 101968 d0607 101946->101968 101986 c8b28 58 API calls __getptd_noexit 101947->101986 101949 c529f _wprintf @_EH4_CallFilterFunc@8 101949->101890 101954 d04f4 _wprintf 101953->101954 101988 c9c0b 101954->101988 101956 d0576 101995 d05fe 101956->101995 101957 d057d 102024 c881d 101957->102024 101960 d05f3 _wprintf 101960->101942 101965 d05aa RtlEnterCriticalSection 101965->101956 101966 d0502 101966->101956 101966->101957 101998 c9c93 101966->101998 102022 c6c50 59 API calls __lock 101966->102022 102023 c6cba RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 101966->102023 101977 d0627 __wopenfile 101968->101977 101969 d0641 102050 c8b28 58 API calls __getptd_noexit 101969->102050 101970 d07fc 101970->101969 101974 d085f 101970->101974 101972 d0646 102051 c8db6 9 API calls __output_l 101972->102051 102047 d85a1 101974->102047 101975 c5310 101987 c5332 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 101975->101987 101977->101969 101977->101970 102052 c37cb 60 API calls 2 library calls 101977->102052 101979 d07f5 101979->101970 102053 c37cb 60 API calls 2 library calls 101979->102053 101981 d0814 101981->101970 102054 c37cb 60 API calls 2 library calls 101981->102054 101983->101939 101984->101949 101985->101949 101986->101949 101987->101949 101989 c9c1c 101988->101989 101990 c9c2f RtlEnterCriticalSection 101988->101990 101991 c9c93 __mtinitlocknum 57 API calls 101989->101991 101990->101966 101992 c9c22 101991->101992 101992->101990 102031 c30b5 58 API calls 3 library calls 101992->102031 102032 c9d75 RtlLeaveCriticalSection 101995->102032 101997 d0605 101997->101960 101999 c9c9f _wprintf 101998->101999 102000 c9ca8 101999->102000 102001 c9cc0 101999->102001 102033 ca16b 58 API calls __NMSG_WRITE 102000->102033 102004 c881d __malloc_crt 58 API calls 102001->102004 102009 c9ce1 _wprintf 102001->102009 102003 c9cad 102034 ca1c8 58 API calls 5 library calls 102003->102034 102006 c9cd5 102004->102006 102007 c9cdc 102006->102007 102008 c9ceb 102006->102008 102036 c8b28 58 API calls __getptd_noexit 102007->102036 102012 c9c0b __lock 58 API calls 102008->102012 102009->101966 102010 c9cb4 102035 c309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 102010->102035 102014 c9cf2 102012->102014 102016 c9cff 102014->102016 102017 c9d17 102014->102017 102037 c9e2b InitializeCriticalSectionAndSpinCount 102016->102037 102038 c2d55 102017->102038 102020 c9d0b 102044 c9d33 RtlLeaveCriticalSection _doexit 102020->102044 102022->101966 102023->101966 102025 c882b 102024->102025 102026 c571c __crtCompareStringA_stat 58 API calls 102025->102026 102027 c885d 102025->102027 102029 c883e 102025->102029 102026->102025 102027->101956 102030 c9e2b InitializeCriticalSectionAndSpinCount 102027->102030 102029->102025 102029->102027 102046 ca132 Sleep 102029->102046 102030->101965 102032->101997 102033->102003 102034->102010 102036->102009 102037->102020 102039 c2d5e RtlFreeHeap 102038->102039 102040 c2d87 __dosmaperr 102038->102040 102039->102040 102041 c2d73 102039->102041 102040->102020 102045 c8b28 58 API calls __getptd_noexit 102041->102045 102043 c2d79 GetLastError 102043->102040 102044->102009 102045->102043 102046->102029 102055 d7d85 102047->102055 102049 d85ba 102049->101975 102050->101972 102051->101975 102052->101979 102053->101981 102054->101970 102056 d7d91 _wprintf 102055->102056 102057 d7da7 102056->102057 102060 d7ddd 102056->102060 102139 c8b28 58 API calls __getptd_noexit 102057->102139 102059 d7dac 102140 c8db6 9 API calls __output_l 102059->102140 102066 d7e4e 102060->102066 102063 d7df9 102141 d7e22 RtlLeaveCriticalSection __unlock_fhandle 102063->102141 102065 d7db6 _wprintf 102065->102049 102067 d7e6e 102066->102067 102068 c44ea __wsopen_nolock 58 API calls 102067->102068 102072 d7e8a 102068->102072 102069 d7fc1 102070 c8dc6 __invoke_watson 8 API calls 102069->102070 102071 d85a0 102070->102071 102074 d7d85 __wsopen_helper 103 API calls 102071->102074 102072->102069 102073 d7ec4 102072->102073 102081 d7ee7 102072->102081 102075 c8af4 __wsopen_nolock 58 API calls 102073->102075 102076 d85ba 102074->102076 102077 d7ec9 102075->102077 102076->102063 102078 c8b28 __output_l 58 API calls 102077->102078 102079 d7ed6 102078->102079 102082 c8db6 __output_l 9 API calls 102079->102082 102080 d7fa5 102083 c8af4 __wsopen_nolock 58 API calls 102080->102083 102081->102080 102088 d7f83 102081->102088 102084 d7ee0 102082->102084 102085 d7faa 102083->102085 102084->102063 102086 c8b28 __output_l 58 API calls 102085->102086 102087 d7fb7 102086->102087 102089 c8db6 __output_l 9 API calls 102087->102089 102090 cd294 __alloc_osfhnd 61 API calls 102088->102090 102089->102069 102091 d8051 102090->102091 102092 d807e 102091->102092 102093 d805b 102091->102093 102095 d7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102092->102095 102094 c8af4 __wsopen_nolock 58 API calls 102093->102094 102096 d8060 102094->102096 102106 d80a0 102095->102106 102097 c8b28 __output_l 58 API calls 102096->102097 102099 d806a 102097->102099 102098 d811e GetFileType 102100 d8129 GetLastError 102098->102100 102101 d816b 102098->102101 102104 c8b28 __output_l 58 API calls 102099->102104 102105 c8b07 __dosmaperr 58 API calls 102100->102105 102110 cd52a __set_osfhnd 59 API calls 102101->102110 102102 d80ec GetLastError 102103 c8b07 __dosmaperr 58 API calls 102102->102103 102107 d8111 102103->102107 102104->102084 102108 d8150 CloseHandle 102105->102108 102106->102098 102106->102102 102109 d7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102106->102109 102113 c8b28 __output_l 58 API calls 102107->102113 102108->102107 102111 d815e 102108->102111 102112 d80e1 102109->102112 102117 d8189 102110->102117 102114 c8b28 __output_l 58 API calls 102111->102114 102112->102098 102112->102102 102113->102069 102115 d8163 102114->102115 102115->102107 102116 d8344 102116->102069 102119 d8517 CloseHandle 102116->102119 102117->102116 102118 d18c1 __lseeki64_nolock 60 API calls 102117->102118 102135 d820a 102117->102135 102120 d81f3 102118->102120 102121 d7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102119->102121 102123 c8af4 __wsopen_nolock 58 API calls 102120->102123 102120->102135 102122 d853e 102121->102122 102124 d8572 102122->102124 102125 d8546 GetLastError 102122->102125 102123->102135 102124->102069 102126 c8b07 __dosmaperr 58 API calls 102125->102126 102127 d8552 102126->102127 102131 cd43d __free_osfhnd 59 API calls 102127->102131 102128 d0add __close_nolock 61 API calls 102128->102135 102129 d0e5b 70 API calls __read_nolock 102129->102135 102130 d97a2 __chsize_nolock 82 API calls 102130->102135 102131->102124 102132 cd886 __write 78 API calls 102132->102135 102133 d83c1 102134 d0add __close_nolock 61 API calls 102133->102134 102136 d83c8 102134->102136 102135->102116 102135->102128 102135->102129 102135->102130 102135->102132 102135->102133 102137 d18c1 60 API calls __lseeki64_nolock 102135->102137 102138 c8b28 __output_l 58 API calls 102136->102138 102137->102135 102138->102069 102139->102059 102140->102065 102141->102065 102143 a4b83 102142->102143 102144 a4c3f LoadLibraryA 102142->102144 102143->101894 102143->101897 102144->102143 102145 a4c50 GetProcAddress 102144->102145 102145->102143 102147 c0db6 Mailbox 59 API calls 102146->102147 102148 a5240 102147->102148 102148->101902 102150 a4ea3 FindResourceExW 102149->102150 102154 a4ec0 102149->102154 102151 dd933 LoadResource 102150->102151 102150->102154 102152 dd948 SizeofResource 102151->102152 102151->102154 102153 dd95c LockResource 102152->102153 102152->102154 102153->102154 102154->101908 102156 dd9ab 102155->102156 102157 a4ef4 102155->102157 102161 c584d 102157->102161 102159 a4f02 102159->101914 102160->101908 102163 c5859 _wprintf 102161->102163 102162 c586b 102174 c8b28 58 API calls __getptd_noexit 102162->102174 102163->102162 102164 c5891 102163->102164 102176 c6c11 102164->102176 102167 c5870 102175 c8db6 9 API calls __output_l 102167->102175 102171 c58a6 102183 c58c8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 102171->102183 102173 c587b _wprintf 102173->102159 102174->102167 102175->102173 102177 c6c21 102176->102177 102178 c6c43 RtlEnterCriticalSection 102176->102178 102177->102178 102179 c6c29 102177->102179 102180 c5897 102178->102180 102181 c9c0b __lock 58 API calls 102179->102181 102182 c57be 83 API calls 4 library calls 102180->102182 102181->102180 102182->102171 102183->102173 102187 c55fd 102184->102187 102186 a4f2e 102186->101922 102188 c5609 _wprintf 102187->102188 102189 c564c 102188->102189 102190 c5644 _wprintf 102188->102190 102195 c561f _memset 102188->102195 102191 c6c11 __lock_file 59 API calls 102189->102191 102190->102186 102192 c5652 102191->102192 102200 c541d 102192->102200 102214 c8b28 58 API calls __getptd_noexit 102195->102214 102196 c5639 102215 c8db6 9 API calls __output_l 102196->102215 102203 c5438 _memset 102200->102203 102206 c5453 102200->102206 102201 c5443 102312 c8b28 58 API calls __getptd_noexit 102201->102312 102203->102201 102203->102206 102211 c5493 102203->102211 102204 c5448 102313 c8db6 9 API calls __output_l 102204->102313 102216 c5686 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 102206->102216 102208 c55a4 _memset 102315 c8b28 58 API calls __getptd_noexit 102208->102315 102211->102206 102211->102208 102217 c46e6 102211->102217 102224 d0e5b 102211->102224 102292 d0ba7 102211->102292 102314 d0cc8 58 API calls 3 library calls 102211->102314 102214->102196 102215->102190 102216->102190 102218 c4705 102217->102218 102219 c46f0 102217->102219 102218->102211 102316 c8b28 58 API calls __getptd_noexit 102219->102316 102221 c46f5 102317 c8db6 9 API calls __output_l 102221->102317 102223 c4700 102223->102211 102225 d0e7c 102224->102225 102226 d0e93 102224->102226 102327 c8af4 58 API calls __getptd_noexit 102225->102327 102228 d15cb 102226->102228 102232 d0ecd 102226->102232 102342 c8af4 58 API calls __getptd_noexit 102228->102342 102229 d0e81 102328 c8b28 58 API calls __getptd_noexit 102229->102328 102234 d0ed5 102232->102234 102240 d0eec 102232->102240 102233 d15d0 102343 c8b28 58 API calls __getptd_noexit 102233->102343 102329 c8af4 58 API calls __getptd_noexit 102234->102329 102236 d0ee1 102344 c8db6 9 API calls __output_l 102236->102344 102238 d0eda 102330 c8b28 58 API calls __getptd_noexit 102238->102330 102241 d0f01 102240->102241 102243 d0f1b 102240->102243 102245 d0f39 102240->102245 102272 d0e88 102240->102272 102331 c8af4 58 API calls __getptd_noexit 102241->102331 102243->102241 102249 d0f26 102243->102249 102246 c881d __malloc_crt 58 API calls 102245->102246 102247 d0f49 102246->102247 102250 d0f6c 102247->102250 102251 d0f51 102247->102251 102318 d5c6b 102249->102318 102334 d18c1 60 API calls 3 library calls 102250->102334 102332 c8b28 58 API calls __getptd_noexit 102251->102332 102252 d103a 102254 d10b3 ReadFile 102252->102254 102259 d1050 GetConsoleMode 102252->102259 102257 d10d5 102254->102257 102258 d1593 GetLastError 102254->102258 102256 d0f56 102333 c8af4 58 API calls __getptd_noexit 102256->102333 102257->102258 102265 d10a5 102257->102265 102261 d1093 102258->102261 102262 d15a0 102258->102262 102263 d1064 102259->102263 102264 d10b0 102259->102264 102274 d1099 102261->102274 102335 c8b07 58 API calls 3 library calls 102261->102335 102340 c8b28 58 API calls __getptd_noexit 102262->102340 102263->102264 102267 d106a ReadConsoleW 102263->102267 102264->102254 102265->102274 102275 d110a 102265->102275 102284 d1377 102265->102284 102267->102265 102269 d108d GetLastError 102267->102269 102268 d15a5 102341 c8af4 58 API calls __getptd_noexit 102268->102341 102269->102261 102272->102211 102273 c2d55 _free 58 API calls 102273->102272 102274->102272 102274->102273 102276 d1176 ReadFile 102275->102276 102282 d11f7 102275->102282 102278 d1197 GetLastError 102276->102278 102290 d11a1 102276->102290 102278->102290 102279 d12b4 102286 d1264 MultiByteToWideChar 102279->102286 102338 d18c1 60 API calls 3 library calls 102279->102338 102280 d12a4 102337 c8b28 58 API calls __getptd_noexit 102280->102337 102281 d147d ReadFile 102285 d14a0 GetLastError 102281->102285 102291 d14ae 102281->102291 102282->102274 102282->102279 102282->102280 102282->102286 102284->102274 102284->102281 102285->102291 102286->102269 102286->102274 102290->102275 102336 d18c1 60 API calls 3 library calls 102290->102336 102291->102284 102339 d18c1 60 API calls 3 library calls 102291->102339 102293 d0bb2 102292->102293 102297 d0bc7 102292->102297 102378 c8b28 58 API calls __getptd_noexit 102293->102378 102295 d0bb7 102379 c8db6 9 API calls __output_l 102295->102379 102298 d0bfc 102297->102298 102303 d0bc2 102297->102303 102380 d5fe4 58 API calls __malloc_crt 102297->102380 102300 c46e6 __output_l 58 API calls 102298->102300 102301 d0c10 102300->102301 102345 d0d47 102301->102345 102303->102211 102304 d0c17 102304->102303 102305 c46e6 __output_l 58 API calls 102304->102305 102306 d0c3a 102305->102306 102306->102303 102307 c46e6 __output_l 58 API calls 102306->102307 102308 d0c46 102307->102308 102308->102303 102309 c46e6 __output_l 58 API calls 102308->102309 102310 d0c53 102309->102310 102311 c46e6 __output_l 58 API calls 102310->102311 102311->102303 102312->102204 102313->102206 102314->102211 102315->102204 102316->102221 102317->102223 102319 d5c76 102318->102319 102320 d5c83 102318->102320 102321 c8b28 __output_l 58 API calls 102319->102321 102323 d5c8f 102320->102323 102324 c8b28 __output_l 58 API calls 102320->102324 102322 d5c7b 102321->102322 102322->102252 102323->102252 102325 d5cb0 102324->102325 102326 c8db6 __output_l 9 API calls 102325->102326 102326->102322 102327->102229 102328->102272 102329->102238 102330->102236 102331->102238 102332->102256 102333->102272 102334->102249 102335->102274 102336->102290 102337->102274 102338->102286 102339->102291 102340->102268 102341->102274 102342->102233 102343->102236 102344->102272 102346 d0d53 _wprintf 102345->102346 102347 d0d77 102346->102347 102348 d0d60 102346->102348 102349 d0e3b 102347->102349 102351 d0d8b 102347->102351 102350 c8af4 __wsopen_nolock 58 API calls 102348->102350 102352 c8af4 __wsopen_nolock 58 API calls 102349->102352 102353 d0d65 102350->102353 102354 d0da9 102351->102354 102355 d0db6 102351->102355 102360 d0dae 102352->102360 102356 c8b28 __output_l 58 API calls 102353->102356 102357 c8af4 __wsopen_nolock 58 API calls 102354->102357 102358 d0dd8 102355->102358 102359 d0dc3 102355->102359 102369 d0d6c _wprintf 102356->102369 102357->102360 102362 cd206 ___lock_fhandle 59 API calls 102358->102362 102361 c8af4 __wsopen_nolock 58 API calls 102359->102361 102363 c8b28 __output_l 58 API calls 102360->102363 102365 d0dc8 102361->102365 102366 d0dde 102362->102366 102364 d0dd0 102363->102364 102372 c8db6 __output_l 9 API calls 102364->102372 102370 c8b28 __output_l 58 API calls 102365->102370 102367 d0e04 102366->102367 102368 d0df1 102366->102368 102373 c8b28 __output_l 58 API calls 102367->102373 102371 d0e5b __read_nolock 70 API calls 102368->102371 102369->102304 102370->102364 102374 d0dfd 102371->102374 102372->102369 102375 d0e09 102373->102375 102377 d0e33 __read RtlLeaveCriticalSection 102374->102377 102376 c8af4 __wsopen_nolock 58 API calls 102375->102376 102376->102374 102377->102369 102378->102295 102379->102303 102380->102298 102384 c520a GetSystemTimeAsFileTime 102381->102384 102383 108f6e 102383->101924 102385 c5238 __aulldiv 102384->102385 102385->102383 102387 c5c6c _wprintf 102386->102387 102388 c5c7e 102387->102388 102389 c5c93 102387->102389 102400 c8b28 58 API calls __getptd_noexit 102388->102400 102391 c6c11 __lock_file 59 API calls 102389->102391 102393 c5c99 102391->102393 102392 c5c83 102401 c8db6 9 API calls __output_l 102392->102401 102402 c58d0 67 API calls 4 library calls 102393->102402 102396 c5ca4 102403 c5cc4 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 102396->102403 102397 c5c8e _wprintf 102397->101929 102399 c5cb6 102399->102397 102400->102392 102401->102397 102402->102396 102403->102399 102405 a7d99 102404->102405 102406 a7da6 102404->102406 102405->101725 102407 c0db6 Mailbox 59 API calls 102406->102407 102407->102405 102408->101752 102409->101799 102410->101801 102445 109748 __tzset_nolock _wcscmp 102441->102445 102442 109210 102442->101831 102447 c40fb 58 API calls __wsplitpath_helper 102442->102447 102443 a4f0b 74 API calls 102443->102445 102444 109109 GetSystemTimeAsFileTime 102444->102445 102445->102442 102445->102443 102445->102444 102446 a4ee5 85 API calls 102445->102446 102446->102445 102447->101835 102448->101830 102771->101880 102773 a818f 102772->102773 102776 a81aa 102772->102776 102774 a7e4f 59 API calls 102773->102774 102775 a8197 CharUpperBuffW 102774->102775 102775->102776 102776->101452 102778 af251 102777->102778 102779 af272 102778->102779 102905 109e4a 90 API calls 4 library calls 102778->102905 102779->101492 102782 dedbd 102781->102782 102783 a838d 102781->102783 102784 c0db6 Mailbox 59 API calls 102783->102784 102786 a8394 102784->102786 102785 a83b5 102785->101470 102785->101479 102786->102785 102906 a8634 59 API calls Mailbox 102786->102906 102789 e4cc3 102788->102789 102803 b09f5 102788->102803 102947 109e4a 90 API calls 4 library calls 102789->102947 102791 b0ce4 102792 b0cfa 102791->102792 102944 b1070 10 API calls Mailbox 102791->102944 102792->101501 102795 b0ee4 102795->102792 102797 b0ef1 102795->102797 102796 b0a4b PeekMessageW 102864 b0a05 Mailbox 102796->102864 102945 b1093 332 API calls Mailbox 102797->102945 102799 b0ef8 LockWindowUpdate DestroyWindow GetMessageW 102799->102792 102802 b0f2a 102799->102802 102801 e4e81 Sleep 102801->102864 102804 e5c58 TranslateMessage DispatchMessageW GetMessageW 102802->102804 102803->102864 102948 a9e5d 60 API calls 102803->102948 102949 f6349 332 API calls 102803->102949 102804->102804 102806 e5c88 102804->102806 102806->102792 102807 e4d50 TranslateAcceleratorW 102808 b0e43 PeekMessageW 102807->102808 102807->102864 102808->102864 102809 b0ea5 TranslateMessage DispatchMessageW 102809->102808 102810 e581f WaitForSingleObject 102813 e583c GetExitCodeProcess CloseHandle 102810->102813 102810->102864 102812 b0d13 timeGetTime 102812->102864 102850 b0f95 102813->102850 102814 b0e5f Sleep 102848 b0e70 Mailbox 102814->102848 102815 a8047 59 API calls 102815->102864 102816 a7667 59 API calls 102816->102848 102817 e5af8 Sleep 102817->102848 102819 c0db6 59 API calls Mailbox 102819->102864 102821 b0f4e timeGetTime 102946 a9e5d 60 API calls 102821->102946 102822 c049f timeGetTime 102822->102848 102825 e5b8f GetExitCodeProcess 102829 e5bbb CloseHandle 102825->102829 102830 e5ba5 WaitForSingleObject 102825->102830 102826 a9837 85 API calls 102826->102864 102827 125f25 111 API calls 102827->102848 102828 ab7dd 110 API calls 102828->102848 102829->102848 102830->102829 102830->102864 102832 ab73c 305 API calls 102832->102864 102834 e5874 102834->102850 102835 a9e5d 60 API calls 102835->102864 102836 e5078 Sleep 102836->102864 102837 e5c17 Sleep 102837->102864 102839 a7de1 59 API calls 102839->102848 102843 a9ea0 305 API calls 102843->102864 102845 af460 305 API calls 102845->102864 102846 afce0 305 API calls 102846->102864 102848->102816 102848->102822 102848->102825 102848->102827 102848->102828 102848->102834 102848->102836 102848->102837 102848->102839 102848->102850 102848->102864 102955 102408 60 API calls 102848->102955 102956 a9e5d 60 API calls 102848->102956 102957 a89b3 69 API calls Mailbox 102848->102957 102958 ab73c 332 API calls 102848->102958 102959 f64da 60 API calls 102848->102959 102960 105244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 102848->102960 102961 103c55 66 API calls Mailbox 102848->102961 102850->101501 102851 a7de1 59 API calls 102851->102864 102852 109e4a 90 API calls 102852->102864 102854 a9c90 59 API calls Mailbox 102854->102864 102855 a84c0 69 API calls 102855->102864 102856 a82df 59 API calls 102856->102864 102857 a89b3 69 API calls 102857->102864 102858 e55d5 VariantClear 102858->102864 102859 f617e 59 API calls Mailbox 102859->102864 102860 e566b VariantClear 102860->102864 102861 a8cd4 59 API calls Mailbox 102861->102864 102862 e5419 VariantClear 102862->102864 102863 f6e8f 59 API calls 102863->102864 102864->102791 102864->102796 102864->102801 102864->102807 102864->102808 102864->102809 102864->102810 102864->102812 102864->102814 102864->102815 102864->102817 102864->102819 102864->102821 102864->102826 102864->102832 102864->102835 102864->102843 102864->102845 102864->102846 102864->102848 102864->102850 102864->102851 102864->102852 102864->102854 102864->102855 102864->102856 102864->102857 102864->102858 102864->102859 102864->102860 102864->102861 102864->102862 102864->102863 102907 ae6a0 102864->102907 102938 a31ce 102864->102938 102943 ae420 332 API calls 102864->102943 102950 126018 59 API calls 102864->102950 102951 109a15 59 API calls Mailbox 102864->102951 102952 fd4f2 59 API calls 102864->102952 102953 f60ef 59 API calls 2 library calls 102864->102953 102954 a8401 59 API calls 102864->102954 102866 deda1 102865->102866 102869 a82f2 102865->102869 102867 dedb1 102866->102867 103005 f61a4 59 API calls 102866->103005 102870 a831c 102869->102870 102871 a85c0 59 API calls 102869->102871 102875 a8339 Mailbox 102869->102875 102872 a8322 102870->102872 102873 a85c0 59 API calls 102870->102873 102871->102870 102874 a9c90 Mailbox 59 API calls 102872->102874 102872->102875 102873->102872 102874->102875 102875->101528 102876->101524 102877->101524 102878->101454 102879->101458 102880->101463 102881->101458 102882->101458 102883->101469 102884->101480 102885->101475 102886->101475 102888 a85ce 102887->102888 102894 a85f6 102887->102894 102889 a85dc 102888->102889 102890 a85c0 59 API calls 102888->102890 102891 a85c0 59 API calls 102889->102891 102892 a85e2 102889->102892 102890->102889 102891->102892 102893 a9c90 Mailbox 59 API calls 102892->102893 102892->102894 102893->102894 102894->101478 102895->101524 102896->101524 102897->101524 102899 a84cb 102898->102899 102901 a84f2 102899->102901 103006 a89b3 69 API calls Mailbox 102899->103006 102901->101507 102902->101458 102903->101508 102904->101458 102905->102779 102906->102785 102908 ae6d5 102907->102908 102909 e3aa9 102908->102909 102912 ae73f 102908->102912 102922 ae799 102908->102922 102910 a9ea0 332 API calls 102909->102910 102911 e3abe 102910->102911 102927 ae970 Mailbox 102911->102927 102963 109e4a 90 API calls 4 library calls 102911->102963 102915 a7667 59 API calls 102912->102915 102912->102922 102913 a7667 59 API calls 102913->102922 102916 e3b04 102915->102916 102964 c2d40 102916->102964 102917 c2d40 __cinit 67 API calls 102917->102922 102919 e3b26 102919->102864 102920 a84c0 69 API calls 102920->102927 102921 a9ea0 332 API calls 102921->102927 102922->102913 102922->102917 102922->102919 102923 ae95a 102922->102923 102922->102927 102923->102927 102967 109e4a 90 API calls 4 library calls 102923->102967 102925 109e4a 90 API calls 102925->102927 102926 a8d40 59 API calls 102926->102927 102927->102920 102927->102921 102927->102925 102927->102926 102928 a9c90 Mailbox 59 API calls 102927->102928 102932 af195 102927->102932 102937 aea78 102927->102937 102962 a7f77 59 API calls 2 library calls 102927->102962 102968 f6e8f 59 API calls 102927->102968 102969 11c5c3 332 API calls 102927->102969 102970 11b53c 332 API calls Mailbox 102927->102970 102972 1193c6 332 API calls Mailbox 102927->102972 102928->102927 102971 109e4a 90 API calls 4 library calls 102932->102971 102936 e3e25 102936->102864 102937->102864 102939 a3212 102938->102939 102942 a31e0 102938->102942 102939->102864 102940 a3205 IsDialogMessageW 102940->102939 102940->102942 102941 dcf32 GetClassLongW 102941->102940 102941->102942 102942->102939 102942->102940 102942->102941 102943->102864 102944->102795 102945->102799 102946->102864 102947->102803 102948->102803 102949->102803 102950->102864 102951->102864 102952->102864 102953->102864 102954->102864 102955->102848 102956->102848 102957->102848 102958->102848 102959->102848 102960->102848 102961->102848 102962->102927 102963->102927 102973 c2c44 102964->102973 102966 c2d4b 102966->102922 102967->102927 102968->102927 102969->102927 102970->102927 102971->102936 102972->102927 102974 c2c50 _wprintf 102973->102974 102981 c3217 102974->102981 102980 c2c77 _wprintf 102980->102966 102982 c9c0b __lock 58 API calls 102981->102982 102983 c2c59 102982->102983 102984 c2c88 RtlDecodePointer RtlDecodePointer 102983->102984 102985 c2cb5 102984->102985 102986 c2c65 102984->102986 102985->102986 102998 c87a4 59 API calls __output_l 102985->102998 102995 c2c82 102986->102995 102988 c2d18 RtlEncodePointer RtlEncodePointer 102988->102986 102989 c2cc7 102989->102988 102991 c2cec 102989->102991 102999 c8864 61 API calls 2 library calls 102989->102999 102991->102986 102993 c2d06 RtlEncodePointer 102991->102993 103000 c8864 61 API calls 2 library calls 102991->103000 102993->102988 102994 c2d00 102994->102986 102994->102993 103001 c3220 102995->103001 102998->102989 102999->102991 103000->102994 103004 c9d75 RtlLeaveCriticalSection 103001->103004 103003 c2c87 103003->102980 103004->103003 103005->102867 103006->102901 103008 f60e8 103007->103008 103009 f60cb 103007->103009 103008->101234 103009->103008 103011 f60ab 59 API calls Mailbox 103009->103011 103011->103009 103012->101240 103013->101249 103014->101249 103015 a1078 103020 a708b 103015->103020 103017 a108c 103018 c2d40 __cinit 67 API calls 103017->103018 103019 a1096 103018->103019 103021 a709b __ftell_nolock 103020->103021 103022 a7667 59 API calls 103021->103022 103023 a7151 103022->103023 103051 a4706 103023->103051 103025 a715a 103058 c050b 103025->103058 103028 a7cab 59 API calls 103029 a7173 103028->103029 103064 a3f74 103029->103064 103032 a7667 59 API calls 103033 a718b 103032->103033 103034 a7d8c 59 API calls 103033->103034 103035 a7194 RegOpenKeyExW 103034->103035 103036 de8b1 RegQueryValueExW 103035->103036 103040 a71b6 Mailbox 103035->103040 103037 de8ce 103036->103037 103038 de943 RegCloseKey 103036->103038 103039 c0db6 Mailbox 59 API calls 103037->103039 103038->103040 103050 de955 _wcscat Mailbox __NMSG_WRITE 103038->103050 103041 de8e7 103039->103041 103040->103017 103043 a522e 59 API calls 103041->103043 103042 a79f2 59 API calls 103042->103050 103044 de8f2 RegQueryValueExW 103043->103044 103045 de90f 103044->103045 103047 de929 103044->103047 103046 a7bcc 59 API calls 103045->103046 103046->103047 103047->103038 103048 a7de1 59 API calls 103048->103050 103049 a3f74 59 API calls 103049->103050 103050->103040 103050->103042 103050->103048 103050->103049 103070 d1940 103051->103070 103054 a7de1 59 API calls 103055 a4739 103054->103055 103072 a4750 103055->103072 103057 a4743 Mailbox 103057->103025 103059 d1940 __ftell_nolock 103058->103059 103060 c0518 GetFullPathNameW 103059->103060 103061 c053a 103060->103061 103062 a7bcc 59 API calls 103061->103062 103063 a7165 103062->103063 103063->103028 103065 a3f82 103064->103065 103069 a3fa4 _memmove 103064->103069 103067 c0db6 Mailbox 59 API calls 103065->103067 103066 c0db6 Mailbox 59 API calls 103068 a3fb8 103066->103068 103067->103069 103068->103032 103069->103066 103071 a4713 GetModuleFileNameW 103070->103071 103071->103054 103073 d1940 __ftell_nolock 103072->103073 103074 a475d GetFullPathNameW 103073->103074 103075 a4799 103074->103075 103076 a477c 103074->103076 103077 a7d8c 59 API calls 103075->103077 103078 a7bcc 59 API calls 103076->103078 103079 a4788 103077->103079 103078->103079 103082 a7726 103079->103082 103083 a7734 103082->103083 103084 a7d2c 59 API calls 103083->103084 103085 a4794 103084->103085 103085->103057 103086 abe19 103088 abaab 103086->103088 103089 abe22 103086->103089 103087 aba8b Mailbox 103087->103088 103098 e1361 103087->103098 103103 a8cd4 59 API calls Mailbox 103087->103103 103089->103087 103089->103088 103090 a9837 85 API calls 103089->103090 103091 abe4d 103090->103091 103092 e107b 103091->103092 103093 abe5d 103091->103093 103101 f7bdb 59 API calls _memmove 103092->103101 103094 a7a51 59 API calls 103093->103094 103094->103087 103096 e1085 103097 a8047 59 API calls 103096->103097 103097->103087 103098->103088 103102 c3d46 59 API calls __wtof_l 103098->103102 103101->103096 103102->103088 103103->103087 103104 12b5788 103118 12b33e8 103104->103118 103106 12b5877 103121 12b5678 103106->103121 103124 12b68b8 GetPEB 103118->103124 103120 12b3a73 103120->103106 103122 12b5681 Sleep 103121->103122 103123 12b568f 103122->103123 103125 12b68e2 103124->103125 103125->103120 103126 a3633 103127 a366a 103126->103127 103128 a3688 103127->103128 103129 a36e7 103127->103129 103166 a36e5 103127->103166 103133 a374b PostQuitMessage 103128->103133 103134 a3695 103128->103134 103131 dd0cc 103129->103131 103132 a36ed 103129->103132 103130 a36ca NtdllDefWindowProc_W 103168 a36d8 103130->103168 103181 b1070 10 API calls Mailbox 103131->103181 103135 a36f2 103132->103135 103136 a3715 SetTimer RegisterClipboardFormatW 103132->103136 103133->103168 103138 dd154 103134->103138 103139 a36a0 103134->103139 103141 dd06f 103135->103141 103142 a36f9 KillTimer 103135->103142 103144 a373e CreatePopupMenu 103136->103144 103136->103168 103197 102527 71 API calls _memset 103138->103197 103145 a36a8 103139->103145 103146 a3755 103139->103146 103151 dd0a8 MoveWindow 103141->103151 103152 dd074 103141->103152 103178 a443a Shell_NotifyIconW _memset 103142->103178 103143 dd0f3 103182 b1093 332 API calls Mailbox 103143->103182 103144->103168 103147 dd139 103145->103147 103148 a36b3 103145->103148 103171 a44a0 103146->103171 103147->103130 103196 f7c36 59 API calls Mailbox 103147->103196 103155 a36be 103148->103155 103156 dd124 103148->103156 103149 dd166 103149->103130 103149->103168 103151->103168 103157 dd078 103152->103157 103158 dd097 SetFocus 103152->103158 103155->103130 103183 a443a Shell_NotifyIconW _memset 103155->103183 103195 102d36 81 API calls _memset 103156->103195 103157->103155 103160 dd081 103157->103160 103158->103168 103159 a370c 103179 a3114 DeleteObject DestroyWindow Mailbox 103159->103179 103180 b1070 10 API calls Mailbox 103160->103180 103165 dd134 103165->103168 103166->103130 103169 dd118 103184 a434a 103169->103184 103172 a4539 103171->103172 103173 a44b7 _memset 103171->103173 103172->103168 103198 a407c 103173->103198 103175 a4522 KillTimer SetTimer 103175->103172 103176 a44de 103176->103175 103177 dd4ab Shell_NotifyIconW 103176->103177 103177->103175 103178->103159 103179->103168 103180->103168 103181->103143 103182->103155 103183->103169 103185 a4375 _memset 103184->103185 103220 a4182 103185->103220 103188 a43fa 103190 a4430 Shell_NotifyIconW 103188->103190 103191 a4414 Shell_NotifyIconW 103188->103191 103192 a4422 103190->103192 103191->103192 103193 a407c 61 API calls 103192->103193 103194 a4429 103193->103194 103194->103166 103195->103165 103196->103166 103197->103149 103199 a4098 103198->103199 103219 a416f Mailbox 103198->103219 103200 a7a16 59 API calls 103199->103200 103201 a40a6 103200->103201 103202 dd3c8 LoadStringW 103201->103202 103203 a40b3 103201->103203 103206 dd3e2 103202->103206 103204 a7bcc 59 API calls 103203->103204 103205 a40c8 103204->103205 103205->103206 103207 a40d9 103205->103207 103208 a7b2e 59 API calls 103206->103208 103209 a40e3 103207->103209 103210 a4174 103207->103210 103213 dd3ec 103208->103213 103211 a7b2e 59 API calls 103209->103211 103212 a8047 59 API calls 103210->103212 103216 a40ed _memset _wcscpy 103211->103216 103212->103216 103214 a7cab 59 API calls 103213->103214 103213->103216 103215 dd40e 103214->103215 103218 a7cab 59 API calls 103215->103218 103217 a4155 Shell_NotifyIconW 103216->103217 103217->103219 103218->103216 103219->103176 103221 a4196 103220->103221 103222 dd423 103220->103222 103221->103188 103224 102f94 62 API calls _W_store_winword 103221->103224 103222->103221 103223 dd42c DestroyCursor 103222->103223 103223->103221 103224->103188 103225 dfe27 103238 bf944 103225->103238 103227 dfe3d 103228 dfebe 103227->103228 103229 dfe53 103227->103229 103233 afce0 332 API calls 103228->103233 103247 a9e5d 60 API calls 103229->103247 103231 dfe92 103232 e089c 103231->103232 103235 dfe9a 103231->103235 103249 109e4a 90 API calls 4 library calls 103232->103249 103237 dfeb2 Mailbox 103233->103237 103248 10834f 59 API calls Mailbox 103235->103248 103239 bf962 103238->103239 103240 bf950 103238->103240 103242 bf968 103239->103242 103243 bf991 103239->103243 103241 a9d3c 60 API calls 103240->103241 103246 bf95a 103241->103246 103245 c0db6 Mailbox 59 API calls 103242->103245 103244 a9d3c 60 API calls 103243->103244 103244->103246 103245->103246 103246->103227 103247->103231 103248->103237 103249->103237 103250 c7c56 103251 c7c62 _wprintf 103250->103251 103287 c9e08 GetStartupInfoW 103251->103287 103253 c7c67 103289 c8b7c GetProcessHeap 103253->103289 103255 c7cbf 103256 c7cca 103255->103256 103372 c7da6 58 API calls 3 library calls 103255->103372 103290 c9ae6 103256->103290 103259 c7cd0 103260 c7cdb __RTC_Initialize 103259->103260 103373 c7da6 58 API calls 3 library calls 103259->103373 103311 cd5d2 103260->103311 103263 c7cea 103264 c7cf6 GetCommandLineW 103263->103264 103374 c7da6 58 API calls 3 library calls 103263->103374 103330 d4f23 GetEnvironmentStringsW 103264->103330 103267 c7cf5 103267->103264 103270 c7d10 103271 c7d1b 103270->103271 103375 c30b5 58 API calls 3 library calls 103270->103375 103340 d4d58 103271->103340 103274 c7d21 103275 c7d2c 103274->103275 103376 c30b5 58 API calls 3 library calls 103274->103376 103354 c30ef 103275->103354 103278 c7d34 103279 c7d3f __wwincmdln 103278->103279 103377 c30b5 58 API calls 3 library calls 103278->103377 103360 a47d0 103279->103360 103282 c7d53 103283 c7d62 103282->103283 103378 c3358 58 API calls _doexit 103282->103378 103379 c30e0 58 API calls _doexit 103283->103379 103286 c7d67 _wprintf 103288 c9e1e 103287->103288 103288->103253 103289->103255 103380 c3187 36 API calls 2 library calls 103290->103380 103292 c9aeb 103381 c9d3c InitializeCriticalSectionAndSpinCount __mtinitlocks 103292->103381 103294 c9af0 103295 c9af4 103294->103295 103383 c9d8a TlsAlloc 103294->103383 103382 c9b5c 61 API calls 2 library calls 103295->103382 103298 c9af9 103298->103259 103299 c9b06 103299->103295 103300 c9b11 103299->103300 103384 c87d5 103300->103384 103303 c9b53 103392 c9b5c 61 API calls 2 library calls 103303->103392 103306 c9b58 103306->103259 103307 c9b32 103307->103303 103308 c9b38 103307->103308 103391 c9a33 58 API calls 4 library calls 103308->103391 103310 c9b40 GetCurrentThreadId 103310->103259 103312 cd5de _wprintf 103311->103312 103313 c9c0b __lock 58 API calls 103312->103313 103314 cd5e5 103313->103314 103315 c87d5 __calloc_crt 58 API calls 103314->103315 103316 cd5f6 103315->103316 103317 cd661 GetStartupInfoW 103316->103317 103318 cd601 _wprintf @_EH4_CallFilterFunc@8 103316->103318 103324 cd676 103317->103324 103327 cd7a5 103317->103327 103318->103263 103319 cd86d 103406 cd87d RtlLeaveCriticalSection _doexit 103319->103406 103321 c87d5 __calloc_crt 58 API calls 103321->103324 103322 cd7f2 GetStdHandle 103322->103327 103323 cd805 GetFileType 103323->103327 103324->103321 103326 cd6c4 103324->103326 103324->103327 103325 cd6f8 GetFileType 103325->103326 103326->103325 103326->103327 103404 c9e2b InitializeCriticalSectionAndSpinCount 103326->103404 103327->103319 103327->103322 103327->103323 103405 c9e2b InitializeCriticalSectionAndSpinCount 103327->103405 103331 c7d06 103330->103331 103332 d4f34 103330->103332 103336 d4b1b GetModuleFileNameW 103331->103336 103333 c881d __malloc_crt 58 API calls 103332->103333 103334 d4f5a _memmove 103333->103334 103335 d4f70 FreeEnvironmentStringsW 103334->103335 103335->103331 103337 d4b4f _wparse_cmdline 103336->103337 103338 c881d __malloc_crt 58 API calls 103337->103338 103339 d4b8f _wparse_cmdline 103337->103339 103338->103339 103339->103270 103341 d4d69 103340->103341 103342 d4d71 __NMSG_WRITE 103340->103342 103341->103274 103343 c87d5 __calloc_crt 58 API calls 103342->103343 103345 d4d9a __NMSG_WRITE 103343->103345 103344 c2d55 _free 58 API calls 103344->103341 103345->103341 103346 c87d5 __calloc_crt 58 API calls 103345->103346 103347 d4df1 103345->103347 103348 d4e16 103345->103348 103351 d4e2d 103345->103351 103407 d4607 58 API calls __output_l 103345->103407 103346->103345 103347->103344 103349 c2d55 _free 58 API calls 103348->103349 103349->103341 103408 c8dc6 IsProcessorFeaturePresent 103351->103408 103353 d4e39 103353->103274 103356 c30fb __IsNonwritableInCurrentImage 103354->103356 103423 ca4d1 103356->103423 103357 c3119 __initterm_e 103358 c2d40 __cinit 67 API calls 103357->103358 103359 c3138 __cinit __IsNonwritableInCurrentImage 103357->103359 103358->103359 103359->103278 103361 a47ea 103360->103361 103362 a4889 103360->103362 103363 a4824 74D2C8D0 103361->103363 103362->103282 103426 c336c 103363->103426 103367 a4850 103438 a48fd SystemParametersInfoW SystemParametersInfoW 103367->103438 103369 a485c 103439 a3b3a 103369->103439 103371 a4864 SystemParametersInfoW 103371->103362 103372->103256 103373->103260 103374->103267 103378->103283 103379->103286 103380->103292 103381->103294 103382->103298 103383->103299 103387 c87dc 103384->103387 103386 c8817 103386->103303 103390 c9de6 TlsSetValue 103386->103390 103387->103386 103388 c87fa 103387->103388 103393 d51f6 103387->103393 103388->103386 103388->103387 103401 ca132 Sleep 103388->103401 103390->103307 103391->103310 103392->103306 103394 d5201 103393->103394 103399 d521c 103393->103399 103395 d520d 103394->103395 103394->103399 103402 c8b28 58 API calls __getptd_noexit 103395->103402 103397 d522c RtlAllocateHeap 103398 d5212 103397->103398 103397->103399 103398->103387 103399->103397 103399->103398 103403 c33a1 RtlDecodePointer 103399->103403 103401->103388 103402->103398 103403->103399 103404->103326 103405->103327 103406->103318 103407->103345 103409 c8dd1 103408->103409 103414 c8c59 103409->103414 103413 c8dec 103413->103353 103415 c8c73 _memset __call_reportfault 103414->103415 103416 c8c93 IsDebuggerPresent 103415->103416 103422 ca155 SetUnhandledExceptionFilter UnhandledExceptionFilter 103416->103422 103418 cc5f6 __output_l 6 API calls 103420 c8d7a 103418->103420 103419 c8d57 __call_reportfault 103419->103418 103421 ca140 GetCurrentProcess TerminateProcess 103420->103421 103421->103413 103422->103419 103424 ca4d4 RtlEncodePointer 103423->103424 103424->103424 103425 ca4ee 103424->103425 103425->103357 103427 c9c0b __lock 58 API calls 103426->103427 103428 c3377 RtlDecodePointer RtlEncodePointer 103427->103428 103491 c9d75 RtlLeaveCriticalSection 103428->103491 103430 a4849 103431 c33d4 103430->103431 103432 c33de 103431->103432 103433 c33f8 103431->103433 103432->103433 103492 c8b28 58 API calls __getptd_noexit 103432->103492 103433->103367 103435 c33e8 103493 c8db6 9 API calls __output_l 103435->103493 103437 c33f3 103437->103367 103438->103369 103440 a3b47 __ftell_nolock 103439->103440 103441 a7667 59 API calls 103440->103441 103442 a3b51 GetCurrentDirectoryW 103441->103442 103494 a3766 103442->103494 103444 a3b7a IsDebuggerPresent 103445 a3b88 103444->103445 103446 dd272 MessageBoxA 103444->103446 103447 a3c61 103445->103447 103449 dd28c 103445->103449 103450 a3ba5 103445->103450 103446->103449 103448 a3c68 SetCurrentDirectoryW 103447->103448 103451 a3c75 Mailbox 103448->103451 103616 a7213 59 API calls Mailbox 103449->103616 103575 a7285 103450->103575 103451->103371 103457 dd29c 103459 dd2b2 SetCurrentDirectoryW 103457->103459 103459->103451 103491->103430 103492->103435 103493->103437 103495 a7667 59 API calls 103494->103495 103496 a377c 103495->103496 103618 a3d31 103496->103618 103498 a379a 103499 a4706 61 API calls 103498->103499 103500 a37ae 103499->103500 103501 a7de1 59 API calls 103500->103501 103502 a37bb 103501->103502 103503 a4ddd 136 API calls 103502->103503 103504 a37d4 103503->103504 103505 a37dc Mailbox 103504->103505 103506 dd173 103504->103506 103510 a8047 59 API calls 103505->103510 103660 10955b 103506->103660 103509 dd192 103512 c2d55 _free 58 API calls 103509->103512 103513 a37ef 103510->103513 103511 a4e4a 84 API calls 103511->103509 103514 dd19f 103512->103514 103632 a928a 103513->103632 103516 a4e4a 84 API calls 103514->103516 103519 dd1a8 103516->103519 103518 a7de1 59 API calls 103520 a3808 103518->103520 103522 a3ed0 59 API calls 103519->103522 103521 a84c0 69 API calls 103520->103521 103523 a381a Mailbox 103521->103523 103524 dd1c3 103522->103524 103525 a7de1 59 API calls 103523->103525 103526 a3ed0 59 API calls 103524->103526 103527 a3840 103525->103527 103528 dd1df 103526->103528 103529 a84c0 69 API calls 103527->103529 103530 a4706 61 API calls 103528->103530 103532 a384f Mailbox 103529->103532 103531 dd204 103530->103531 103533 a3ed0 59 API calls 103531->103533 103535 a7667 59 API calls 103532->103535 103534 dd210 103533->103534 103536 a8047 59 API calls 103534->103536 103537 a386d 103535->103537 103539 dd21e 103536->103539 103635 a3ed0 103537->103635 103540 a3ed0 59 API calls 103539->103540 103542 dd22d 103540->103542 103548 a8047 59 API calls 103542->103548 103544 a3887 103544->103519 103545 a3891 103544->103545 103546 c2efd _W_store_winword 60 API calls 103545->103546 103547 a389c 103546->103547 103547->103524 103549 a38a6 103547->103549 103550 dd24f 103548->103550 103551 c2efd _W_store_winword 60 API calls 103549->103551 103552 a3ed0 59 API calls 103550->103552 103553 a38b1 103551->103553 103554 dd25c 103552->103554 103553->103528 103555 a38bb 103553->103555 103554->103554 103556 c2efd _W_store_winword 60 API calls 103555->103556 103557 a38c6 103556->103557 103557->103542 103558 a3907 103557->103558 103560 a3ed0 59 API calls 103557->103560 103558->103542 103559 a3914 103558->103559 103562 a92ce 59 API calls 103559->103562 103561 a38ea 103560->103561 103563 a8047 59 API calls 103561->103563 103564 a3924 103562->103564 103565 a38f8 103563->103565 103566 a9050 59 API calls 103564->103566 103567 a3ed0 59 API calls 103565->103567 103568 a3932 103566->103568 103567->103558 103651 a8ee0 103568->103651 103570 a928a 59 API calls 103572 a394f 103570->103572 103571 a8ee0 60 API calls 103571->103572 103572->103570 103572->103571 103573 a3ed0 59 API calls 103572->103573 103574 a3995 Mailbox 103572->103574 103573->103572 103574->103444 103576 a7292 __ftell_nolock 103575->103576 103577 a72ab 103576->103577 103578 dea22 _memset 103576->103578 103579 a4750 60 API calls 103577->103579 103581 dea3e 7574D0D0 103578->103581 103580 a72b4 103579->103580 103699 c0791 103580->103699 103583 dea8d 103581->103583 103584 a7bcc 59 API calls 103583->103584 103586 deaa2 103584->103586 103586->103586 103616->103457 103619 a3d3e __ftell_nolock 103618->103619 103620 a7bcc 59 API calls 103619->103620 103625 a3ea4 Mailbox 103619->103625 103622 a3d70 103620->103622 103621 a79f2 59 API calls 103621->103622 103622->103621 103629 a3da6 Mailbox 103622->103629 103623 a79f2 59 API calls 103623->103629 103624 a3e77 103624->103625 103626 a7de1 59 API calls 103624->103626 103625->103498 103628 a3e98 103626->103628 103627 a7de1 59 API calls 103627->103629 103630 a3f74 59 API calls 103628->103630 103629->103623 103629->103624 103629->103625 103629->103627 103631 a3f74 59 API calls 103629->103631 103630->103625 103631->103629 103633 c0db6 Mailbox 59 API calls 103632->103633 103634 a37fb 103633->103634 103634->103518 103636 a3eda 103635->103636 103637 a3ef3 103635->103637 103638 a8047 59 API calls 103636->103638 103639 a7bcc 59 API calls 103637->103639 103640 a3879 103638->103640 103639->103640 103641 c2efd 103640->103641 103642 c2f7e 103641->103642 103643 c2f09 103641->103643 103697 c2f90 60 API calls 3 library calls 103642->103697 103650 c2f2e 103643->103650 103695 c8b28 58 API calls __getptd_noexit 103643->103695 103646 c2f8b 103646->103544 103647 c2f15 103696 c8db6 9 API calls __output_l 103647->103696 103649 c2f20 103649->103544 103650->103544 103652 df17c 103651->103652 103654 a8ef7 103651->103654 103652->103654 103698 a8bdb 59 API calls Mailbox 103652->103698 103655 a8ff8 103654->103655 103656 a9040 103654->103656 103659 a8fff 103654->103659 103658 c0db6 Mailbox 59 API calls 103655->103658 103657 a9d3c 60 API calls 103656->103657 103657->103659 103658->103659 103659->103572 103661 a4ee5 85 API calls 103660->103661 103662 1095ca 103661->103662 103663 109734 96 API calls 103662->103663 103664 1095dc 103663->103664 103665 a4f0b 74 API calls 103664->103665 103691 dd186 103664->103691 103666 1095f7 103665->103666 103667 a4f0b 74 API calls 103666->103667 103668 109607 103667->103668 103669 a4f0b 74 API calls 103668->103669 103670 109622 103669->103670 103671 a4f0b 74 API calls 103670->103671 103672 10963d 103671->103672 103673 a4ee5 85 API calls 103672->103673 103674 109654 103673->103674 103675 c571c __crtCompareStringA_stat 58 API calls 103674->103675 103676 10965b 103675->103676 103677 c571c __crtCompareStringA_stat 58 API calls 103676->103677 103678 109665 103677->103678 103679 a4f0b 74 API calls 103678->103679 103680 109679 103679->103680 103681 109109 GetSystemTimeAsFileTime 103680->103681 103682 10968c 103681->103682 103683 1096a1 103682->103683 103684 1096b6 103682->103684 103685 c2d55 _free 58 API calls 103683->103685 103686 10971b 103684->103686 103687 1096bc 103684->103687 103689 1096a7 103685->103689 103688 c2d55 _free 58 API calls 103686->103688 103690 108b06 116 API calls 103687->103690 103688->103691 103692 c2d55 _free 58 API calls 103689->103692 103693 109713 103690->103693 103691->103509 103691->103511 103692->103691 103694 c2d55 _free 58 API calls 103693->103694 103694->103691 103695->103647 103696->103649 103697->103646 103698->103654 103700 d1940 __ftell_nolock 103699->103700 103701 c079e GetLongPathNameW 103700->103701 103702 a7bcc 59 API calls 103701->103702 103703 a72bd 103702->103703 103704 a700b 103703->103704 103705 a7667 59 API calls 103704->103705 103706 a701d 103705->103706 103707 a4750 60 API calls 103706->103707 103708 a7028 103707->103708 103709 de885 103708->103709 103710 a7033 103708->103710 103715 de89f 103709->103715 103757 a7908 61 API calls 103709->103757 103711 a3f74 59 API calls 103710->103711 103713 a703f 103711->103713 103751 a34c2 103713->103751 103752 a34d4 103751->103752 103756 a34f3 _memmove 103751->103756 103754 c0db6 Mailbox 59 API calls 103752->103754 103753 c0db6 Mailbox 59 API calls 103754->103756 103756->103753 103757->103709 103914 1aa9d0 103915 1aa9e0 VirtualProtect VirtualProtect 103914->103915 103917 1aaba4 103915->103917 103917->103917 103918 a1016 103923 a4974 103918->103923 103921 c2d40 __cinit 67 API calls 103922 a1025 103921->103922 103924 c0db6 Mailbox 59 API calls 103923->103924 103925 a497c 103924->103925 103926 a101b 103925->103926 103930 a4936 103925->103930 103926->103921 103931 a493f 103930->103931 103932 a4951 103930->103932 103933 c2d40 __cinit 67 API calls 103931->103933 103934 a49a0 103932->103934 103933->103932 103935 a7667 59 API calls 103934->103935 103936 a49b8 GetVersionExW 103935->103936 103937 a7bcc 59 API calls 103936->103937 103938 a49fb 103937->103938 103939 a7d2c 59 API calls 103938->103939 103944 a4a28 103938->103944 103940 a4a1c 103939->103940 103941 a7726 59 API calls 103940->103941 103941->103944 103942 a4a93 GetCurrentProcess IsWow64Process 103943 a4aac 103942->103943 103946 a4b2b GetSystemInfo 103943->103946 103947 a4ac2 103943->103947 103944->103942 103945 dd864 103944->103945 103948 a4af8 103946->103948 103958 a4b37 103947->103958 103948->103926 103951 a4b1f GetSystemInfo 103953 a4ae9 103951->103953 103952 a4ad4 103954 a4b37 2 API calls 103952->103954 103953->103948 103956 a4aef FreeLibrary 103953->103956 103955 a4adc GetNativeSystemInfo 103954->103955 103955->103953 103956->103948 103959 a4ad0 103958->103959 103960 a4b40 LoadLibraryA 103958->103960 103959->103951 103959->103952 103960->103959 103961 a4b51 GetProcAddress 103960->103961 103961->103959 103962 a1066 103967 af76f 103962->103967 103964 a106c 103965 c2d40 __cinit 67 API calls 103964->103965 103966 a1076 103965->103966 103968 af790 103967->103968 104000 bff03 103968->104000 103972 af7d7 103973 a7667 59 API calls 103972->103973 103974 af7e1 103973->103974 103975 a7667 59 API calls 103974->103975 103976 af7eb 103975->103976 103977 a7667 59 API calls 103976->103977 103978 af7f5 103977->103978 103979 a7667 59 API calls 103978->103979 103980 af833 103979->103980 103981 a7667 59 API calls 103980->103981 103982 af8fe 103981->103982 104010 b5f87 103982->104010 103986 af930 103987 a7667 59 API calls 103986->103987 103988 af93a 103987->103988 104038 bfd9e 103988->104038 103990 af981 103991 af991 GetStdHandle 103990->103991 103992 e45ab 103991->103992 103993 af9dd 103991->103993 103992->103993 103995 e45b4 103992->103995 103994 af9e5 OleInitialize 103993->103994 103994->103964 104045 106b38 64 API calls Mailbox 103995->104045 103997 e45bb 104046 107207 CreateThread 103997->104046 103999 e45c7 CloseHandle 103999->103994 104047 bffdc 104000->104047 104003 bffdc 59 API calls 104004 bff45 104003->104004 104005 a7667 59 API calls 104004->104005 104006 bff51 104005->104006 104007 a7bcc 59 API calls 104006->104007 104008 af796 104007->104008 104009 c0162 6 API calls 104008->104009 104009->103972 104011 a7667 59 API calls 104010->104011 104012 b5f97 104011->104012 104013 a7667 59 API calls 104012->104013 104014 b5f9f 104013->104014 104054 b5a9d 104014->104054 104017 b5a9d 59 API calls 104018 b5faf 104017->104018 104019 a7667 59 API calls 104018->104019 104020 b5fba 104019->104020 104021 c0db6 Mailbox 59 API calls 104020->104021 104022 af908 104021->104022 104023 b60f9 104022->104023 104024 b6107 104023->104024 104025 a7667 59 API calls 104024->104025 104026 b6112 104025->104026 104027 a7667 59 API calls 104026->104027 104028 b611d 104027->104028 104029 a7667 59 API calls 104028->104029 104030 b6128 104029->104030 104031 a7667 59 API calls 104030->104031 104032 b6133 104031->104032 104033 b5a9d 59 API calls 104032->104033 104034 b613e 104033->104034 104035 c0db6 Mailbox 59 API calls 104034->104035 104036 b6145 RegisterClipboardFormatW 104035->104036 104036->103986 104039 f576f 104038->104039 104040 bfdae 104038->104040 104057 109ae7 60 API calls 104039->104057 104042 c0db6 Mailbox 59 API calls 104040->104042 104044 bfdb6 104042->104044 104043 f577a 104044->103990 104045->103997 104046->103999 104058 1071ed 65 API calls 104046->104058 104048 a7667 59 API calls 104047->104048 104049 bffe7 104048->104049 104050 a7667 59 API calls 104049->104050 104051 bffef 104050->104051 104052 a7667 59 API calls 104051->104052 104053 bff3b 104052->104053 104053->104003 104055 a7667 59 API calls 104054->104055 104056 b5aa5 104055->104056 104056->104017 104057->104043 104059 a1055 104064 a2649 104059->104064 104062 c2d40 __cinit 67 API calls 104063 a1064 104062->104063 104065 a7667 59 API calls 104064->104065 104066 a26b7 104065->104066 104071 a3582 104066->104071 104069 a2754 104070 a105a 104069->104070 104074 a3416 59 API calls 2 library calls 104069->104074 104070->104062 104075 a35b0 104071->104075 104074->104069 104076 a35a1 104075->104076 104077 a35bd 104075->104077 104076->104069 104077->104076 104078 a35c4 RegOpenKeyExW 104077->104078 104078->104076 104079 a35de RegQueryValueExW 104078->104079 104080 a3614 RegCloseKey 104079->104080 104081 a35ff 104079->104081 104080->104076 104081->104080

                                                                  Executed Functions

                                                                  Function 000A3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000A3B68
                                                                  • IsDebuggerPresent.KERNEL32 ref: 000A3B7A
                                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,001652F8,001652E0,?,?), ref: 000A3BEB
                                                                    • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                                    • Part of subcall function 000B092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,000A3C14,001652F8,?,?,?), ref: 000B096E
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 000A3C6F
                                                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00157770,00000010), ref: 000DD281
                                                                  • SetCurrentDirectoryW.KERNEL32(?,001652F8,?,?,?), ref: 000DD2B9
                                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00154260,001652F8,?,?,?), ref: 000DD33F
                                                                  • ShellExecuteW.SHELL32(00000000,?,?), ref: 000DD346
                                                                    • Part of subcall function 000A3A46: GetSysColorBrush.USER32(0000000F), ref: 000A3A50
                                                                    • Part of subcall function 000A3A46: LoadCursorW.USER32(00000000,00007F00), ref: 000A3A5F
                                                                    • Part of subcall function 000A3A46: LoadIconW.USER32(00000063), ref: 000A3A76
                                                                    • Part of subcall function 000A3A46: LoadIconW.USER32(000000A4), ref: 000A3A88
                                                                    • Part of subcall function 000A3A46: LoadIconW.USER32(000000A2), ref: 000A3A9A
                                                                    • Part of subcall function 000A3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000A3AC0
                                                                    • Part of subcall function 000A3A46: RegisterClassExW.USER32(?), ref: 000A3B16
                                                                    • Part of subcall function 000A39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000A3A03
                                                                    • Part of subcall function 000A39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000A3A24
                                                                    • Part of subcall function 000A39D5: ShowWindow.USER32(00000000,?,?), ref: 000A3A38
                                                                    • Part of subcall function 000A39D5: ShowWindow.USER32(00000000,?,?), ref: 000A3A41
                                                                    • Part of subcall function 000A434A: _memset.LIBCMT ref: 000A4370
                                                                    • Part of subcall function 000A434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000A4415
                                                                  Strings
                                                                  • This is a third-party compiled AutoIt script., xrefs: 000DD279
                                                                  • runas, xrefs: 000DD33A
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                  • String ID: This is a third-party compiled AutoIt script.$runas
                                                                  • API String ID: 529118366-3287110873
                                                                  • Opcode ID: 488e9bc5ddd9695a05534cae4c9904ae22c3ff9b99bbd23ee15dd5a1d7a4cd60
                                                                  • Instruction ID: 88e06f95949a854ccdb531e9cc5a76624fdfb060a6a24240a3838d3cf8028a6b
                                                                  • Opcode Fuzzy Hash: 488e9bc5ddd9695a05534cae4c9904ae22c3ff9b99bbd23ee15dd5a1d7a4cd60
                                                                  • Instruction Fuzzy Hash: 5551E630908208EADB21EBF4EC16EFD7B7AAB56750F00416DF451A61A3CBB04686CB21
                                                                  Function 000A3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 765 a3633-a3681 767 a3683-a3686 765->767 768 a36e1-a36e3 765->768 770 a3688-a368f 767->770 771 a36e7 767->771 768->767 769 a36e5 768->769 772 a36ca-a36d2 NtdllDefWindowProc_W 769->772 775 a374b-a3753 PostQuitMessage 770->775 776 a3695-a369a 770->776 773 dd0cc-dd0fa call b1070 call b1093 771->773 774 a36ed-a36f0 771->774 778 a36d8-a36de 772->778 808 dd0ff-dd106 773->808 779 a36f2-a36f3 774->779 780 a3715-a373c SetTimer RegisterClipboardFormatW 774->780 777 a3711-a3713 775->777 782 dd154-dd168 call 102527 776->782 783 a36a0-a36a2 776->783 777->778 785 dd06f-dd072 779->785 786 a36f9-a370c KillTimer call a443a call a3114 779->786 780->777 788 a373e-a3749 CreatePopupMenu 780->788 782->777 802 dd16e 782->802 789 a36a8-a36ad 783->789 790 a3755-a375f call a44a0 783->790 795 dd0a8-dd0c7 MoveWindow 785->795 796 dd074-dd076 785->796 786->777 788->777 791 dd139-dd140 789->791 792 a36b3-a36b8 789->792 803 a3764 790->803 791->772 807 dd146-dd14f call f7c36 791->807 800 a36be-a36c4 792->800 801 dd124-dd134 call 102d36 792->801 795->777 804 dd078-dd07b 796->804 805 dd097-dd0a3 SetFocus 796->805 800->772 800->808 801->777 802->772 803->777 804->800 809 dd081-dd092 call b1070 804->809 805->777 807->772 808->772 813 dd10c-dd11f call a443a call a434a 808->813 809->777 813->772
                                                                  APIs
                                                                  • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 000A36D2
                                                                  • KillTimer.USER32(?,00000001), ref: 000A36FC
                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000A371F
                                                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 000A372A
                                                                  • CreatePopupMenu.USER32 ref: 000A373E
                                                                  • PostQuitMessage.USER32(00000000), ref: 000A374D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                                                  • String ID: TaskbarCreated
                                                                  • API String ID: 157504867-2362178303
                                                                  • Opcode ID: ec2657ab77b85f1795e6cb55a9ba33a7e98a8c98d03c3b39a269fbf64527a54f
                                                                  • Instruction ID: 2cdde2e729f937b6f2b8d6f80c91e7f31751afdb6c4c4e998607a8f26b6b5480
                                                                  • Opcode Fuzzy Hash: ec2657ab77b85f1795e6cb55a9ba33a7e98a8c98d03c3b39a269fbf64527a54f
                                                                  • Instruction Fuzzy Hash: 5F415DB1204605FBDB305FE8DC09BBD37EAEB46300F10023EF502966B2CBA09E959761
                                                                  Function 000A49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 948 a49a0-a4a00 call a7667 GetVersionExW call a7bcc 953 a4b0b-a4b0d 948->953 954 a4a06 948->954 955 dd767-dd773 953->955 956 a4a09-a4a0e 954->956 957 dd774-dd778 955->957 958 a4b12-a4b13 956->958 959 a4a14 956->959 961 dd77b-dd787 957->961 962 dd77a 957->962 960 a4a15-a4a4c call a7d2c call a7726 958->960 959->960 970 a4a52-a4a53 960->970 971 dd864-dd867 960->971 961->957 964 dd789-dd78e 961->964 962->961 964->956 966 dd794-dd79b 964->966 966->955 968 dd79d 966->968 972 dd7a2-dd7a5 968->972 970->972 973 a4a59-a4a64 970->973 974 dd869 971->974 975 dd880-dd884 971->975 976 dd7ab-dd7c9 972->976 977 a4a93-a4aaa GetCurrentProcess IsWow64Process 972->977 978 a4a6a-a4a6c 973->978 979 dd7ea-dd7f0 973->979 980 dd86c 974->980 982 dd86f-dd878 975->982 983 dd886-dd88f 975->983 976->977 981 dd7cf-dd7d5 976->981 984 a4aaf-a4ac0 977->984 985 a4aac 977->985 986 dd805-dd811 978->986 987 a4a72-a4a75 978->987 990 dd7fa-dd800 979->990 991 dd7f2-dd7f5 979->991 980->982 988 dd7df-dd7e5 981->988 989 dd7d7-dd7da 981->989 982->975 983->980 992 dd891-dd894 983->992 993 a4b2b-a4b35 GetSystemInfo 984->993 994 a4ac2-a4ad2 call a4b37 984->994 985->984 998 dd81b-dd821 986->998 999 dd813-dd816 986->999 995 a4a7b-a4a8a 987->995 996 dd831-dd834 987->996 988->977 989->977 990->977 991->977 992->982 997 a4af8-a4b08 993->997 1007 a4b1f-a4b29 GetSystemInfo 994->1007 1008 a4ad4-a4ae1 call a4b37 994->1008 1001 a4a90 995->1001 1002 dd826-dd82c 995->1002 996->977 1004 dd83a-dd84f 996->1004 998->977 999->977 1001->977 1002->977 1005 dd859-dd85f 1004->1005 1006 dd851-dd854 1004->1006 1005->977 1006->977 1009 a4ae9-a4aed 1007->1009 1013 a4b18-a4b1d 1008->1013 1014 a4ae3-a4ae7 GetNativeSystemInfo 1008->1014 1009->997 1012 a4aef-a4af2 FreeLibrary 1009->1012 1012->997 1013->1014 1014->1009
                                                                  APIs
                                                                  • GetVersionExW.KERNEL32(?), ref: 000A49CD
                                                                    • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                                  • GetCurrentProcess.KERNEL32(?,0012FAEC,00000000,00000000,?), ref: 000A4A9A
                                                                  • IsWow64Process.KERNEL32(00000000), ref: 000A4AA1
                                                                  • GetNativeSystemInfo.KERNELBASE(00000000), ref: 000A4AE7
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 000A4AF2
                                                                  • GetSystemInfo.KERNEL32(00000000), ref: 000A4B23
                                                                  • GetSystemInfo.KERNEL32(00000000), ref: 000A4B2F
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                  • String ID:
                                                                  • API String ID: 1986165174-0
                                                                  • Opcode ID: 487e527a02a4608a819b510d2a66caaced0f66ac3a944dc4d05ca2cf541d57c2
                                                                  • Instruction ID: d82f8cd307d62c9429cf342cdb3bbc11a9332263cfa84ec282b8b238882607a3
                                                                  • Opcode Fuzzy Hash: 487e527a02a4608a819b510d2a66caaced0f66ac3a944dc4d05ca2cf541d57c2
                                                                  • Instruction Fuzzy Hash: FB91C33598D7C0DEC771DBA884501AABFF5AF7A300F4449AED0CA93B02D660E548D76A
                                                                  Function 000A4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1064 a4e89-a4ea1 CreateStreamOnHGlobal 1065 a4ea3-a4eba FindResourceExW 1064->1065 1066 a4ec1-a4ec6 1064->1066 1067 a4ec0 1065->1067 1068 dd933-dd942 LoadResource 1065->1068 1067->1066 1068->1067 1069 dd948-dd956 SizeofResource 1068->1069 1069->1067 1070 dd95c-dd967 LockResource 1069->1070 1070->1067 1071 dd96d-dd975 1070->1071 1072 dd979-dd98b 1071->1072 1072->1067
                                                                  APIs
                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 000A4E99
                                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000A4D8E,?,?,00000000,00000000), ref: 000A4EB0
                                                                  • LoadResource.KERNEL32(?,00000000,?,?,000A4D8E,?,?,00000000,00000000,?,?,?,?,?,?,000A4E2F), ref: 000DD937
                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,000A4D8E,?,?,00000000,00000000,?,?,?,?,?,?,000A4E2F), ref: 000DD94C
                                                                  • LockResource.KERNEL32(000A4D8E,?,?,000A4D8E,?,?,00000000,00000000,?,?,?,?,?,?,000A4E2F,00000000), ref: 000DD95F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                  • String ID: SCRIPT
                                                                  • API String ID: 3051347437-3967369404
                                                                  • Opcode ID: 0c31d2af5dc6f80ac771638054f228f1c1653f1dcea3199c31c5a3de12e287ee
                                                                  • Instruction ID: e869a63633c2a44a47dee79fe092325d5ea516e0f4e15cc277abb24cd08829a5
                                                                  • Opcode Fuzzy Hash: 0c31d2af5dc6f80ac771638054f228f1c1653f1dcea3199c31c5a3de12e287ee
                                                                  • Instruction Fuzzy Hash: DA115E75240700BFD7218BA5EC88F677BBAFBC6B11F10427CF40596650DBA1EC528660
                                                                  Function 000AFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper
                                                                  • String ID:
                                                                  • API String ID: 3964851224-0
                                                                  • Opcode ID: 3ce51a64895d3864f9f607c2b401eca1d22d2867c2e5ba6308700e10c9815b9a
                                                                  • Instruction ID: 6fdab96c1ece53bd488bbbc861cd93ec4802d7e969108c4b764ff09983bbf464
                                                                  • Opcode Fuzzy Hash: 3ce51a64895d3864f9f607c2b401eca1d22d2867c2e5ba6308700e10c9815b9a
                                                                  • Instruction Fuzzy Hash: F2926970A083418FD764DF24C480BABB7E5BF85304F14896DE98A9B362D775EC45CB92
                                                                  Function 0010445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(?,000DE398), ref: 0010446A
                                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 0010447B
                                                                  • FindClose.KERNEL32(00000000), ref: 0010448B
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$AttributesCloseFirst
                                                                  • String ID:
                                                                  • API String ID: 48322524-0
                                                                  • Opcode ID: 808d9d9bf45d84319f66fb3a1868b5ce3077505bfa902095cb7b32aa9e148e83
                                                                  • Instruction ID: 752250c8b938d06a1bd3324d50e2f0769a117cf6adaa0739eaf83a93f46bf213
                                                                  • Opcode Fuzzy Hash: 808d9d9bf45d84319f66fb3a1868b5ce3077505bfa902095cb7b32aa9e148e83
                                                                  • Instruction Fuzzy Hash: 66E0D876410500B79220AB38EC4D4E9776C9F06335F10072EF975C10D0E7B49D519595
                                                                  Function 000AE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • Variable must be of type 'Object'., xrefs: 000E3E62
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Variable must be of type 'Object'.
                                                                  • API String ID: 0-109567571
                                                                  • Opcode ID: 0d626fdb8a1d24e318a8d6489b378a9d37213caaf26f96973897f2fd32f1ac0f
                                                                  • Instruction ID: 7967339fbd802ffa7d8e93d4c4e13b9c061bf86f446b66ef6e6782477ff6aac3
                                                                  • Opcode Fuzzy Hash: 0d626fdb8a1d24e318a8d6489b378a9d37213caaf26f96973897f2fd32f1ac0f
                                                                  • Instruction Fuzzy Hash: FBA27D74A00245CFCB64CF94C894AAEB7F2FF5A310F248469E905AB352D775ED82CB91
                                                                  Function 000B09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000B0A5B
                                                                  • timeGetTime.WINMM ref: 000B0D16
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000B0E53
                                                                  • Sleep.KERNEL32(0000000A), ref: 000B0E61
                                                                  • LockWindowUpdate.USER32(00000000,?,?), ref: 000B0EFA
                                                                  • DestroyWindow.USER32 ref: 000B0F06
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000B0F20
                                                                  • Sleep.KERNEL32(0000000A,?,?), ref: 000E4E83
                                                                  • TranslateMessage.USER32(?), ref: 000E5C60
                                                                  • DispatchMessageW.USER32(?), ref: 000E5C6E
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000E5C82
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                  • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                  • API String ID: 4212290369-3242690629
                                                                  • Opcode ID: d82184617f82cc43bc2aa7f9ad9142c43c4fe0752d641d86c73bd57d49d87327
                                                                  • Instruction ID: 63f756e9e87224a4588443f26d581dbd5d142a9a86c31976afc06c64b78897ec
                                                                  • Opcode Fuzzy Hash: d82184617f82cc43bc2aa7f9ad9142c43c4fe0752d641d86c73bd57d49d87327
                                                                  • Instruction Fuzzy Hash: BEB2B070608781DFD724DF24C894BAFB7E5BF85308F14492DE599A72A2CB71E885CB42
                                                                  Function 00109155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 00108F5F: __time64.LIBCMT ref: 00108F69
                                                                    • Part of subcall function 000A4EE5: _fseek.LIBCMT ref: 000A4EFD
                                                                  • __wsplitpath.LIBCMT ref: 00109234
                                                                    • Part of subcall function 000C40FB: __wsplitpath_helper.LIBCMT ref: 000C413B
                                                                  • _wcscpy.LIBCMT ref: 00109247
                                                                  • _wcscat.LIBCMT ref: 0010925A
                                                                  • __wsplitpath.LIBCMT ref: 0010927F
                                                                  • _wcscat.LIBCMT ref: 00109295
                                                                  • _wcscat.LIBCMT ref: 001092A8
                                                                    • Part of subcall function 00108FA5: _memmove.LIBCMT ref: 00108FDE
                                                                    • Part of subcall function 00108FA5: _memmove.LIBCMT ref: 00108FED
                                                                  • _wcscmp.LIBCMT ref: 001091EF
                                                                    • Part of subcall function 00109734: _wcscmp.LIBCMT ref: 00109824
                                                                    • Part of subcall function 00109734: _wcscmp.LIBCMT ref: 00109837
                                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00109452
                                                                  • _wcsncpy.LIBCMT ref: 001094C5
                                                                  • DeleteFileW.KERNEL32(?,?), ref: 001094FB
                                                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00109511
                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00109522
                                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00109534
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                  • String ID:
                                                                  • API String ID: 1500180987-0
                                                                  • Opcode ID: e5cc0759299bdecc08078c1f474da6c99f97cea3bcaad48bd29592b8885472e0
                                                                  • Instruction ID: 287885a32076e0c0bb90403ed9b8c6ad9d0a2c96dec8c7d93bc78f78b59fdfdf
                                                                  • Opcode Fuzzy Hash: e5cc0759299bdecc08078c1f474da6c99f97cea3bcaad48bd29592b8885472e0
                                                                  • Instruction Fuzzy Hash: CDC14EB1D00119AEDF21DF95CC91EDEB7BDEF95300F0040AAF609E6192EB709A458F61
                                                                  Function 000A708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 000A4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001652F8,?,000A37AE,?), ref: 000A4724
                                                                    • Part of subcall function 000C050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,000A7165), ref: 000C052D
                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000A71A8
                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000DE8C8
                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000DE909
                                                                  • RegCloseKey.ADVAPI32(?), ref: 000DE947
                                                                  • _wcscat.LIBCMT ref: 000DE9A0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                  • API String ID: 2673923337-2727554177
                                                                  • Opcode ID: e4c57f429c960173ed54d86eba7f1e39cd15d7af8a9a5fd299316ca27328cb0e
                                                                  • Instruction ID: 7e758f36bc059385b6885706be81fd9bdd4ee43b3c7a039096687f092577c86e
                                                                  • Opcode Fuzzy Hash: e4c57f429c960173ed54d86eba7f1e39cd15d7af8a9a5fd299316ca27328cb0e
                                                                  • Instruction Fuzzy Hash: 38719E71509301AEC300EFA5EC619AFBBF8FF95350F40452EF445972A1DBB09989CBA2
                                                                  Function 000A3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 000A3A50
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 000A3A5F
                                                                  • LoadIconW.USER32(00000063), ref: 000A3A76
                                                                  • LoadIconW.USER32(000000A4), ref: 000A3A88
                                                                  • LoadIconW.USER32(000000A2), ref: 000A3A9A
                                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000A3AC0
                                                                  • RegisterClassExW.USER32(?), ref: 000A3B16
                                                                    • Part of subcall function 000A3041: GetSysColorBrush.USER32(0000000F), ref: 000A3074
                                                                    • Part of subcall function 000A3041: RegisterClassExW.USER32(00000030), ref: 000A309E
                                                                    • Part of subcall function 000A3041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 000A30AF
                                                                    • Part of subcall function 000A3041: LoadIconW.USER32(000000A9), ref: 000A30F2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                                                  • String ID: #$0$AutoIt v3
                                                                  • API String ID: 2880975755-4155596026
                                                                  • Opcode ID: 446dccd67803b0a62b16f8b295dcdfc5bb7ab1be1db773ff4c80cea488b60aef
                                                                  • Instruction ID: f9abca62349f8fe2d47b74a5f1e00a1f4187ba13bcdb490c3031e6c72fe21e82
                                                                  • Opcode Fuzzy Hash: 446dccd67803b0a62b16f8b295dcdfc5bb7ab1be1db773ff4c80cea488b60aef
                                                                  • Instruction Fuzzy Hash: 992135B0D00308EFEB20DFA4EC19BAD7BB6EB08711F00412EF504AA6A1D3F556918F94
                                                                  Function 000A3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                  • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                  • API String ID: 1825951767-3513169116
                                                                  • Opcode ID: acfb5a0969324f00000bead41149eb410ba53b1d078bb79444fa9c0d6c9d37a7
                                                                  • Instruction ID: 510bc3f031085b3a813d65fb304f26b8cd6fe854cfa5cec3ad46577b6f128e74
                                                                  • Opcode Fuzzy Hash: acfb5a0969324f00000bead41149eb410ba53b1d078bb79444fa9c0d6c9d37a7
                                                                  • Instruction Fuzzy Hash: 9DA12A7591022DAACB14EBE4DC91EEEB779BF16300F44052EF416B7192EF745A09CB60
                                                                  Function 000A3015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 72registrywindowclipboardCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 000A3074
                                                                  • RegisterClassExW.USER32(00000030), ref: 000A309E
                                                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 000A30AF
                                                                  • LoadIconW.USER32(000000A9), ref: 000A30F2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                  • API String ID: 975902462-1005189915
                                                                  • Opcode ID: af38ccbd27f998a817764833b02fa06868207a666a4e0d898599a3516b1096f4
                                                                  • Instruction ID: 8c919822733ba87c35a6901245159a9a8fffafe78ad2723a0f446fba6c6050fc
                                                                  • Opcode Fuzzy Hash: af38ccbd27f998a817764833b02fa06868207a666a4e0d898599a3516b1096f4
                                                                  • Instruction Fuzzy Hash: 0F3134B1840309EFDB508FA4EC85AC9BBF6FB09314F14452EE580E6AA1E3B94596CF51
                                                                  Function 000A3041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 000A3074
                                                                  • RegisterClassExW.USER32(00000030), ref: 000A309E
                                                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 000A30AF
                                                                  • LoadIconW.USER32(000000A9), ref: 000A30F2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                  • API String ID: 975902462-1005189915
                                                                  • Opcode ID: 19eb7f5a2cdf595d6a7371897abe51a6025128aa6acff9727b9ab816c81b0a4e
                                                                  • Instruction ID: 48c1ab3cfc45620a3c654fc6d1f08fbf388a775c13be0c2f627616504257ec47
                                                                  • Opcode Fuzzy Hash: 19eb7f5a2cdf595d6a7371897abe51a6025128aa6acff9727b9ab816c81b0a4e
                                                                  • Instruction Fuzzy Hash: 9C21E3B1900218AFDB10DFA5ED89B9DBBF9FB08700F00412AF910A7AA0D7B14596CF95
                                                                  Function 012B3D08 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1015 12b3d08-12b3d5a call 12b3c08 CreateFileW 1018 12b3d5c-12b3d5e 1015->1018 1019 12b3d63-12b3d70 1015->1019 1020 12b3ebc-12b3ec0 1018->1020 1022 12b3d83-12b3d9a VirtualAlloc 1019->1022 1023 12b3d72-12b3d7e 1019->1023 1024 12b3d9c-12b3d9e 1022->1024 1025 12b3da3-12b3dc9 CreateFileW 1022->1025 1023->1020 1024->1020 1026 12b3dcb-12b3de8 1025->1026 1027 12b3ded-12b3e07 ReadFile 1025->1027 1026->1020 1029 12b3e2b-12b3e2f 1027->1029 1030 12b3e09-12b3e26 1027->1030 1032 12b3e31-12b3e4e 1029->1032 1033 12b3e50-12b3e67 WriteFile 1029->1033 1030->1020 1032->1020 1034 12b3e69-12b3e90 1033->1034 1035 12b3e92-12b3eb7 CloseHandle VirtualFree 1033->1035 1034->1020 1035->1020
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 012B3D4D
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1327811021.00000000012B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 012B3000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_12b3000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                  • Instruction ID: 7c9f071360f676cc10e9c3dc159990bf471afd1464a897e980c8d2dc0460a954
                                                                  • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                  • Instruction Fuzzy Hash: C851EC75A60209FBDF20DFA4CC89FDE77B8BF48741F108558F61AEA180DA749A448B64
                                                                  Function 000A7285 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1045 a7285-a72a5 call d1940 1048 a72ab-a72d8 call a4750 call c0791 call a700b call a686a 1045->1048 1049 dea22-dea8b call c2de0 7574D0D0 1045->1049 1055 dea8d 1049->1055 1056 dea94-dea9d call a7bcc 1049->1056 1055->1056 1059 deaa2 1056->1059 1059->1059
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 000DEA39
                                                                  • 7574D0D0.COMDLG32(?), ref: 000DEA83
                                                                    • Part of subcall function 000A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A4743,?,?,000A37AE,?), ref: 000A4770
                                                                    • Part of subcall function 000C0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000C07B0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: NamePath$7574FullLong_memset
                                                                  • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
                                                                  • API String ID: 3399031285-1954568251
                                                                  • Opcode ID: 6d07b3204ed395f4ba2f8df81d5e6e5becbb18558e0fedf21b31e69a20154af3
                                                                  • Instruction ID: 20d33843290043e5e8c63579c7728b032269e024954663ec678291d9f438f382
                                                                  • Opcode Fuzzy Hash: 6d07b3204ed395f4ba2f8df81d5e6e5becbb18558e0fedf21b31e69a20154af3
                                                                  • Instruction Fuzzy Hash: BF21C671A042489BCB519FD4CC45BEE7BFDAF49710F00805AE408BB242DFB45989CFA1
                                                                  Function 000A39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1074 a39d5-a3a45 CreateWindowExW * 2 ShowWindow * 2
                                                                  APIs
                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000A3A03
                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000A3A24
                                                                  • ShowWindow.USER32(00000000,?,?), ref: 000A3A38
                                                                  • ShowWindow.USER32(00000000,?,?), ref: 000A3A41
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CreateShow
                                                                  • String ID: AutoIt v3$edit
                                                                  • API String ID: 1584632944-3779509399
                                                                  • Opcode ID: 6a487eeb72da34aa9d17266e5ed356489d28827f702abe01b97305eddaf1c8f8
                                                                  • Instruction ID: 7b1c45a57e6251d564e2b0c973ae3d9271819f3ff21aca36f10384522083a332
                                                                  • Opcode Fuzzy Hash: 6a487eeb72da34aa9d17266e5ed356489d28827f702abe01b97305eddaf1c8f8
                                                                  • Instruction Fuzzy Hash: 69F0DA71541690BEEB315B276C59E7B3E7ED7C6F50F00413EFD04A2570C6A11892DAB0
                                                                  Function 000A686A Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1075 a686a-a6891 call a4ddd 1078 de031-de041 call 10955b 1075->1078 1079 a6897-a68a5 call a4ddd 1075->1079 1082 de046-de048 1078->1082 1079->1078 1086 a68ab-a68b1 1079->1086 1084 de04a-de04d call a4e4a 1082->1084 1085 de067-de0af call c0db6 1082->1085 1088 de052-de061 call 1042f8 1084->1088 1096 de0d4 1085->1096 1097 de0b1-de0bb 1085->1097 1087 a68b7-a68d9 call a6a8c 1086->1087 1086->1088 1088->1085 1099 de0d6-de0e9 1096->1099 1098 de0cf-de0d0 1097->1098 1100 de0bd-de0cc 1098->1100 1101 de0d2 1098->1101 1102 de0ef 1099->1102 1103 de260-de263 call c2d55 1099->1103 1100->1098 1101->1099 1105 de0f6-de0f9 call a7480 1102->1105 1106 de268-de271 call a4e4a 1103->1106 1109 de0fe-de120 call a5db2 call 1073e9 1105->1109 1112 de273-de283 call a7616 call a5d9b 1106->1112 1119 de134-de13e call 1073d3 1109->1119 1120 de122-de12f 1109->1120 1128 de288-de2b8 call ff7a1 call c0e2c call c2d55 call a4e4a 1112->1128 1126 de158-de162 call 1073bd 1119->1126 1127 de140-de153 1119->1127 1122 de227-de237 call a750f 1120->1122 1122->1109 1132 de23d-de247 call a735d 1122->1132 1136 de164-de171 1126->1136 1137 de176-de180 call a5e2a 1126->1137 1127->1122 1128->1112 1139 de24c-de25a 1132->1139 1136->1122 1137->1122 1145 de186-de19e call ff73d 1137->1145 1139->1103 1139->1105 1150 de1c1-de1c4 1145->1150 1151 de1a0-de1bf call a7de1 call a5904 1145->1151 1152 de1c6-de1e1 call a7de1 call a6839 call a5904 1150->1152 1153 de1f2-de1f5 1150->1153 1174 de1e2-de1f0 call a5db2 1151->1174 1152->1174 1157 de215-de218 call 10737f 1153->1157 1158 de1f7-de200 call ff65e 1153->1158 1165 de21d-de226 call c0e2c 1157->1165 1158->1128 1167 de206-de210 call c0e2c 1158->1167 1165->1122 1167->1109 1174->1165
                                                                  APIs
                                                                    • Part of subcall function 000A4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,001652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000A4E0F
                                                                  • _free.LIBCMT ref: 000DE263
                                                                  • _free.LIBCMT ref: 000DE2AA
                                                                    • Part of subcall function 000A6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000A6BAD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _free$CurrentDirectoryLibraryLoad
                                                                  • String ID: /v$>>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                  • API String ID: 2861923089-1634556715
                                                                  • Opcode ID: 95b011186a76e3ff295f72069a9e38f729237fe6d2f269daea81b51ee9739ab0
                                                                  • Instruction ID: a89a2651dd8d55f5b47b0d7f5ee35b7e80899c71aee1a690e3706dc66b62d922
                                                                  • Opcode Fuzzy Hash: 95b011186a76e3ff295f72069a9e38f729237fe6d2f269daea81b51ee9739ab0
                                                                  • Instruction Fuzzy Hash: 44919E71900259EFCF14EFA4CC819EDBBB8FF15310F14442AF816AB2A2DB71A955CB60
                                                                  Function 000A407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1179 a407c-a4092 1180 a4098-a40ad call a7a16 1179->1180 1181 a416f-a4173 1179->1181 1184 dd3c8-dd3d7 LoadStringW 1180->1184 1185 a40b3-a40d3 call a7bcc 1180->1185 1188 dd3e2-dd3fa call a7b2e call a6fe3 1184->1188 1185->1188 1189 a40d9-a40dd 1185->1189 1198 a40ed-a416a call c2de0 call a454e call c2dbc Shell_NotifyIconW call a5904 1188->1198 1201 dd400-dd41e call a7cab call a6fe3 call a7cab 1188->1201 1191 a40e3-a40e8 call a7b2e 1189->1191 1192 a4174-a417d call a8047 1189->1192 1191->1198 1192->1198 1198->1181 1201->1198
                                                                  APIs
                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000DD3D7
                                                                    • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                                  • _memset.LIBCMT ref: 000A40FC
                                                                  • _wcscpy.LIBCMT ref: 000A4150
                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000A4160
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                  • String ID: Line:
                                                                  • API String ID: 3942752672-1585850449
                                                                  • Opcode ID: 1aaa229b7ebd92d7697b4f8f09dcf5866e7689ad180b71bf5a3a683e0d18f4dc
                                                                  • Instruction ID: a76e947bc85c16a1c0a2e7c570465b0310efe1d78b704fae87eb33b71c39d000
                                                                  • Opcode Fuzzy Hash: 1aaa229b7ebd92d7697b4f8f09dcf5866e7689ad180b71bf5a3a683e0d18f4dc
                                                                  • Instruction Fuzzy Hash: 8B31B371008704AFD371EBA0DC46FDB77E8AF95310F10491EF589920A2EBB09689CB92
                                                                  Function 000C541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                  • String ID:
                                                                  • API String ID: 1559183368-0
                                                                  • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                  • Instruction ID: 10f7dc2318ae58d967d589b05ee2bceb15401efbaa3bd294a622f2b306f6a749
                                                                  • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                  • Instruction Fuzzy Hash: 55519378A00F059BDB288F69DC50FAE77E6AF40326F24872DF825962D1D770ADD09B40
                                                                  Function 012B5788 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 012B5678: Sleep.KERNELBASE(000001F4), ref: 012B5689
                                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 012B58E3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1327811021.00000000012B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 012B3000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_12b3000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFileSleep
                                                                  • String ID: EV1G9RGERMBZPHEEP0MJZ7M7RQ
                                                                  • API String ID: 2694422964-3627028931
                                                                  • Opcode ID: ec2ec30d2218bf1699e600ffe5bfe0e0ceaf9a7df04b5fc7557880d93e585094
                                                                  • Instruction ID: b20cd75bd8c6880ebe44723f6120ffa0b63759585b89b0915afe06feed376d06
                                                                  • Opcode Fuzzy Hash: ec2ec30d2218bf1699e600ffe5bfe0e0ceaf9a7df04b5fc7557880d93e585094
                                                                  • Instruction Fuzzy Hash: 7F61C530D14288DBEF11DBB4C844BEEBB74AF19304F044198E248BB2C1D7B91B45CBA6
                                                                  Function 000A35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,000A35A1,SwapMouseButtons,00000004,?), ref: 000A35D4
                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,000A35A1,SwapMouseButtons,00000004,?,?,?,?,000A2754), ref: 000A35F5
                                                                  • RegCloseKey.KERNELBASE(00000000,?,?,000A35A1,SwapMouseButtons,00000004,?,?,?,?,000A2754), ref: 000A3617
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenQueryValue
                                                                  • String ID: Control Panel\Mouse
                                                                  • API String ID: 3677997916-824357125
                                                                  • Opcode ID: 3e46e910d884fb1da27af28e13eba48bb3fca983e9b5420bf4052c6688c69d91
                                                                  • Instruction ID: d145170e77fbaaea33a057c230307078330da49ebbf7b18f3673fbd62dc10573
                                                                  • Opcode Fuzzy Hash: 3e46e910d884fb1da27af28e13eba48bb3fca983e9b5420bf4052c6688c69d91
                                                                  • Instruction Fuzzy Hash: AD115A75910208BFDB208FA4DC44DEFB7B9EF05740F00856AF805D7210E2719F519B64
                                                                  Function 0010955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A4EE5: _fseek.LIBCMT ref: 000A4EFD
                                                                    • Part of subcall function 00109734: _wcscmp.LIBCMT ref: 00109824
                                                                    • Part of subcall function 00109734: _wcscmp.LIBCMT ref: 00109837
                                                                  • _free.LIBCMT ref: 001096A2
                                                                  • _free.LIBCMT ref: 001096A9
                                                                  • _free.LIBCMT ref: 00109714
                                                                    • Part of subcall function 000C2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,000C9A24), ref: 000C2D69
                                                                    • Part of subcall function 000C2D55: GetLastError.KERNEL32(00000000,?,000C9A24), ref: 000C2D7B
                                                                  • _free.LIBCMT ref: 0010971C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                  • String ID:
                                                                  • API String ID: 1552873950-0
                                                                  • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                  • Instruction ID: 3524effda7f3e24665f6a4d135bdbd8785199656688c036a5d0e940117743ebe
                                                                  • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                  • Instruction Fuzzy Hash: 705141B5D14258AFDF249FA4DC81ADEBB79EF88300F1044AEF549A3252DB715A80CF58
                                                                  Function 000C470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                  • String ID:
                                                                  • API String ID: 2782032738-0
                                                                  • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                  • Instruction ID: 18d033781250fa36440b1302b6349151bf26ddf009b419964777594f76449d90
                                                                  • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                  • Instruction Fuzzy Hash: BD41C375A047469BDB28CFA9C8A0FAE7BE5FF42360B24827DE815C7680DB70DD458B40
                                                                  Function 000A44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 000A44CF
                                                                    • Part of subcall function 000A407C: _memset.LIBCMT ref: 000A40FC
                                                                    • Part of subcall function 000A407C: _wcscpy.LIBCMT ref: 000A4150
                                                                    • Part of subcall function 000A407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000A4160
                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 000A4524
                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000A4533
                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000DD4B9
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                  • String ID:
                                                                  • API String ID: 1378193009-0
                                                                  • Opcode ID: 02860ccfa411901b341ec9d6e7af5a1a8540ff6867c702f88be95d3fde9bed0b
                                                                  • Instruction ID: a0a48089e2cb375923de41dc6a00a14e79a39666020ccc45339a28f1c3185077
                                                                  • Opcode Fuzzy Hash: 02860ccfa411901b341ec9d6e7af5a1a8540ff6867c702f88be95d3fde9bed0b
                                                                  • Instruction Fuzzy Hash: 7A21D774904784AFE7728B74C855BEBBBEC9F46318F04009FE69E56242C7B42A85CB51
                                                                  Function 001AA9D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 206memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,00001000,00000004,?,00000000), ref: 001AAB87
                                                                  • VirtualProtect.KERNELBASE(?,00001000), ref: 001AAB9C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: RIPTFULLPATH
                                                                  • API String ID: 544645111-4147738662
                                                                  • Opcode ID: 499e3d723dbd0037eb382703e2867939706875ad2f9ec26e61736e890b467e0f
                                                                  • Instruction ID: 0871aa1bbfca6178245116c746a9ece37af2288653adccbde595243de67d24a3
                                                                  • Opcode Fuzzy Hash: 499e3d723dbd0037eb382703e2867939706875ad2f9ec26e61736e890b467e0f
                                                                  • Instruction Fuzzy Hash: 5251047AA543524BD7209EB8CD90271B7E4EF53324BA90738C5E6C73C6E7A45C09C7A2
                                                                  Function 00108D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __fread_nolock_memmove
                                                                  • String ID: EA06
                                                                  • API String ID: 1988441806-3962188686
                                                                  • Opcode ID: 548ac6ec37c223942e7dbc542f32e7092f2fd176b1ff7a11df1275f90cd164ee
                                                                  • Instruction ID: d90e12649f767b9631287d4e2d6e00a357847392dc2988d77532f58d2fd92448
                                                                  • Opcode Fuzzy Hash: 548ac6ec37c223942e7dbc542f32e7092f2fd176b1ff7a11df1275f90cd164ee
                                                                  • Instruction Fuzzy Hash: 8D01B971904218BEDB18CBE8CC56FEE7BF8DB15311F00459EF592D61C1E9B5E6088760
                                                                  Function 000C0DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000C571C: __FF_MSGBANNER.LIBCMT ref: 000C5733
                                                                    • Part of subcall function 000C571C: __NMSG_WRITE.LIBCMT ref: 000C573A
                                                                    • Part of subcall function 000C571C: RtlAllocateHeap.NTDLL(01270000,00000000,00000001), ref: 000C575F
                                                                  • std::exception::exception.LIBCMT ref: 000C0DEC
                                                                  • __CxxThrowException@8.LIBCMT ref: 000C0E01
                                                                    • Part of subcall function 000C859B: RaiseException.KERNEL32(?,?,00000000,00159E78,?,00000001,?,?,?,000C0E06,00000000,00159E78,000A9E8C,00000001), ref: 000C85F0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                  • String ID: bad allocation
                                                                  • API String ID: 3902256705-2104205924
                                                                  • Opcode ID: b6799fb702d2cbc751123db1e05bc61d92667cfb49bbc34142f3dd4034e242c1
                                                                  • Instruction ID: 28d8629940fbb4eb543f1e760a62a4d689ae2fcfcc0c3c2a9c431d9392e0fa26
                                                                  • Opcode Fuzzy Hash: b6799fb702d2cbc751123db1e05bc61d92667cfb49bbc34142f3dd4034e242c1
                                                                  • Instruction Fuzzy Hash: 4FF0813150031AE6DB14BBD4ED01FDF77AD9F01311F10442EF908A6182DFB09A80D6D5
                                                                  Function 012B43E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 012B442D
                                                                  • ExitProcess.KERNEL32(00000000), ref: 012B444C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1327811021.00000000012B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 012B3000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_12b3000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CreateExit
                                                                  • String ID: D
                                                                  • API String ID: 126409537-2746444292
                                                                  • Opcode ID: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
                                                                  • Instruction ID: 77980a71d8d0f906c2c7b704fc7c01b1be217d0cc1d1621ec40161b81bd5e157
                                                                  • Opcode Fuzzy Hash: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
                                                                  • Instruction Fuzzy Hash: ACF0FF7155024DABDB60EFE4CC89FFE777CBF04701F448508FB0A9A180DA7896088B61
                                                                  Function 001098E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 001098F8
                                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0010990F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Temp$FileNamePath
                                                                  • String ID: aut
                                                                  • API String ID: 3285503233-3010740371
                                                                  • Opcode ID: 96029379552a5230effec6e21e142a71032c528808ab9ea545107f14975c0709
                                                                  • Instruction ID: 907a03535c463b81f545b6744b257bbcdab65d4eb6af10bac1134d961338593b
                                                                  • Opcode Fuzzy Hash: 96029379552a5230effec6e21e142a71032c528808ab9ea545107f14975c0709
                                                                  • Instruction Fuzzy Hash: 8CD05E7954030DFBDB60ABA0EC0EF9A773CE704701F0002B1BE54D51A1EAB195AA8BA1
                                                                  Function 0011CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 88e94b25f5f0ce24a111cbc9acdf7f0603ff5f0829dd7619a5b7ac6b4efb5933
                                                                  • Instruction ID: c75d9b44aff7d6a56a0fc38bb0ae8639cc42ec1e04a19bf026e57a9d229647a1
                                                                  • Opcode Fuzzy Hash: 88e94b25f5f0ce24a111cbc9acdf7f0603ff5f0829dd7619a5b7ac6b4efb5933
                                                                  • Instruction Fuzzy Hash: D4F13A716083019FCB18DF28C480AAABBE5FF89314F54892DF8999B352D734E945CF92
                                                                  Function 000AF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000C0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 000C0193
                                                                    • Part of subcall function 000C0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 000C019B
                                                                    • Part of subcall function 000C0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000C01A6
                                                                    • Part of subcall function 000C0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 000C01B1
                                                                    • Part of subcall function 000C0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 000C01B9
                                                                    • Part of subcall function 000C0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 000C01C1
                                                                    • Part of subcall function 000B60F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 000B6154
                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000AF9CD
                                                                  • OleInitialize.OLE32(00000000), ref: 000AFA4A
                                                                  • CloseHandle.KERNEL32(00000000), ref: 000E45C8
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                                                  • String ID:
                                                                  • API String ID: 3094916012-0
                                                                  • Opcode ID: b7a7cd8d0b4685099e579634be979d79d21509abce0b63110bfbaf663885eea4
                                                                  • Instruction ID: ca826a51d16973d83f6afb40ffa0fb35c1e9d6c4499a182441b2fc3bf1f55ff1
                                                                  • Opcode Fuzzy Hash: b7a7cd8d0b4685099e579634be979d79d21509abce0b63110bfbaf663885eea4
                                                                  • Instruction Fuzzy Hash: 4781BBB0901A408EC394DF69AD446A97BE7FB59346F9081AAD059DBB62FBF044C5CF10
                                                                  Function 000A434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 000A4370
                                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 000A4415
                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 000A4432
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: IconNotifyShell_$_memset
                                                                  • String ID:
                                                                  • API String ID: 1505330794-0
                                                                  • Opcode ID: d3969a4750c8ecc9e35f6343f12d82cb2db7508df64c7de5614dc38bc6f0b79d
                                                                  • Instruction ID: 03e3119b6839281afdb854c6e091a1e7060009108ca1f75b33a290f82a72414f
                                                                  • Opcode Fuzzy Hash: d3969a4750c8ecc9e35f6343f12d82cb2db7508df64c7de5614dc38bc6f0b79d
                                                                  • Instruction Fuzzy Hash: 5431C375504701DFC760DFA4D88469BBBF8FB99308F00092EF58A86251E7F0AA88CB52
                                                                  Function 000C571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __FF_MSGBANNER.LIBCMT ref: 000C5733
                                                                    • Part of subcall function 000CA16B: __NMSG_WRITE.LIBCMT ref: 000CA192
                                                                    • Part of subcall function 000CA16B: __NMSG_WRITE.LIBCMT ref: 000CA19C
                                                                  • __NMSG_WRITE.LIBCMT ref: 000C573A
                                                                    • Part of subcall function 000CA1C8: GetModuleFileNameW.KERNEL32(00000000,001633BA,00000104,00000000,00000001,00000000), ref: 000CA25A
                                                                    • Part of subcall function 000CA1C8: ___crtMessageBoxW.LIBCMT ref: 000CA308
                                                                    • Part of subcall function 000C309F: ___crtCorExitProcess.LIBCMT ref: 000C30A5
                                                                    • Part of subcall function 000C309F: ExitProcess.KERNEL32 ref: 000C30AE
                                                                    • Part of subcall function 000C8B28: __getptd_noexit.LIBCMT ref: 000C8B28
                                                                  • RtlAllocateHeap.NTDLL(01270000,00000000,00000001), ref: 000C575F
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                  • String ID:
                                                                  • API String ID: 1372826849-0
                                                                  • Opcode ID: 9a7b3c0aa408e587827a4313f91bd7859f39d74542a31375deef47fddb3b25f8
                                                                  • Instruction ID: 8b80405132e1c4c5775a04aeda66ac1ec4a197decfd3c53272403280bf52ef8b
                                                                  • Opcode Fuzzy Hash: 9a7b3c0aa408e587827a4313f91bd7859f39d74542a31375deef47fddb3b25f8
                                                                  • Instruction Fuzzy Hash: DB01F539348B11DAD6602774FC56FAE7388CB42763F50022DF415AA1C2DFB0ADC04760
                                                                  Function 001098A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00109548,?,?,?,?,?,00000004), ref: 001098BB
                                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00109548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 001098D1
                                                                  • CloseHandle.KERNEL32(00000000,?,00109548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001098D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: File$CloseCreateHandleTime
                                                                  • String ID:
                                                                  • API String ID: 3397143404-0
                                                                  • Opcode ID: 9146c0f6e053448e38325bb00733dae63a21e0f7998064ea3cda2edeb05095fd
                                                                  • Instruction ID: 00cb77b75789b77e432e948b64c5d365b0d05b3c71383291ad578a3f45e75356
                                                                  • Opcode Fuzzy Hash: 9146c0f6e053448e38325bb00733dae63a21e0f7998064ea3cda2edeb05095fd
                                                                  • Instruction Fuzzy Hash: EFE08632141218B7D7312B54EC0AFCA7B29AB06760F108234FB54694E087B115739798
                                                                  Function 00108D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 00108D1B
                                                                    • Part of subcall function 000C2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,000C9A24), ref: 000C2D69
                                                                    • Part of subcall function 000C2D55: GetLastError.KERNEL32(00000000,?,000C9A24), ref: 000C2D7B
                                                                  • _free.LIBCMT ref: 00108D2C
                                                                  • _free.LIBCMT ref: 00108D3E
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                  • String ID:
                                                                  • API String ID: 776569668-0
                                                                  • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                  • Instruction ID: 2d18795c06cf7f06cbf20726b95781303e9e141fdb3b40986097e36973abf972
                                                                  • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                  • Instruction Fuzzy Hash: 48E012F161560147CB24A6F8A940FD723DC4F683527140A2DB48ED75C7CFA4F8428228
                                                                  Function 000AA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CALL
                                                                  • API String ID: 0-4196123274
                                                                  • Opcode ID: f07ed0b785838e4be85a0df0ac78e734815a6825d6ff5d1db737c90b44d4cb9f
                                                                  • Instruction ID: daa9716c7476c71fffb672c6aa60b7481a9e374b55f6a740d27788e62937dd9f
                                                                  • Opcode Fuzzy Hash: f07ed0b785838e4be85a0df0ac78e734815a6825d6ff5d1db737c90b44d4cb9f
                                                                  • Instruction Fuzzy Hash: CD226970608301DFD724DF64C490B6AB7E1BF46314F14896DE89A9B3A2DB75EC85CB82
                                                                  Function 000A4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: EA06
                                                                  • API String ID: 4104443479-3962188686
                                                                  • Opcode ID: 46266b99695c21cc57930404de7af7830abab6daacc2587a7e399042e548215e
                                                                  • Instruction ID: e28bf6fa97a05e84353d0965e6a73767bedba06c28105880af26c60897ad8474
                                                                  • Opcode Fuzzy Hash: 46266b99695c21cc57930404de7af7830abab6daacc2587a7e399042e548215e
                                                                  • Instruction Fuzzy Hash: 04414D39A041586BDF219BE4CC917FE7BA29BC7300F284475FC869B287D6E05D4483A1
                                                                  Function 000A7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID:
                                                                  • API String ID: 4104443479-0
                                                                  • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                  • Instruction ID: 4b9b8b2cbf9795dce09636fc6c29db893cb49ef9510194d945614ae41dc01c3a
                                                                  • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                  • Instruction Fuzzy Hash: 1F3173B1604606AFC714DFA8CCD1E6DB3A9FF99310715C629E519CB691EB30E950CB90
                                                                  Function 000A47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • 74D2C8D0.UXTHEME ref: 000A4834
                                                                    • Part of subcall function 000C336C: __lock.LIBCMT ref: 000C3372
                                                                    • Part of subcall function 000C336C: RtlDecodePointer.NTDLL(00000001), ref: 000C337E
                                                                    • Part of subcall function 000C336C: RtlEncodePointer.NTDLL(?), ref: 000C3389
                                                                    • Part of subcall function 000A48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 000A4915
                                                                    • Part of subcall function 000A48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000A492A
                                                                    • Part of subcall function 000A3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000A3B68
                                                                    • Part of subcall function 000A3B3A: IsDebuggerPresent.KERNEL32 ref: 000A3B7A
                                                                    • Part of subcall function 000A3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,001652F8,001652E0,?,?), ref: 000A3BEB
                                                                    • Part of subcall function 000A3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 000A3C6F
                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000A4874
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                                                                  • String ID:
                                                                  • API String ID: 2688871447-0
                                                                  • Opcode ID: be6e1fa6f0024b66edb68dced148a71aeeef7d7b8347cb4bfb03ce6e52583186
                                                                  • Instruction ID: 090d56a133cb83fead6f4f34282afb0bef71587a9db26b0ac7f4ac97eac5322d
                                                                  • Opcode Fuzzy Hash: be6e1fa6f0024b66edb68dced148a71aeeef7d7b8347cb4bfb03ce6e52583186
                                                                  • Instruction Fuzzy Hash: 40119D719183419FC700EF68EC0595EBBE8EF85750F10852EF044872B2DFB49689CB92
                                                                  Function 000C55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __lock_file_memset
                                                                  • String ID:
                                                                  • API String ID: 26237723-0
                                                                  • Opcode ID: cbb0d7c37d6bbe4ceb780bc50000607ffb624429608846e9b82e95c90c388511
                                                                  • Instruction ID: 06e97f6aa6d8e3ea1c32d4de5f3a6b9e138fc449e3b32814f68426c5f8df7013
                                                                  • Opcode Fuzzy Hash: cbb0d7c37d6bbe4ceb780bc50000607ffb624429608846e9b82e95c90c388511
                                                                  • Instruction Fuzzy Hash: 2B01A775800A08EBCF22EF649C02EDF7BA1EF91362F54811DF8241B192DB319A91DF91
                                                                  Function 000C53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000C8B28: __getptd_noexit.LIBCMT ref: 000C8B28
                                                                  • __lock_file.LIBCMT ref: 000C53EB
                                                                    • Part of subcall function 000C6C11: __lock.LIBCMT ref: 000C6C34
                                                                  • __fclose_nolock.LIBCMT ref: 000C53F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                  • String ID:
                                                                  • API String ID: 2800547568-0
                                                                  • Opcode ID: 5342343f65012377d35eb1db9462d842a8161f74f23f79f3a7c8497bc6b599fd
                                                                  • Instruction ID: 08498ed3e9dbbcb24953635c74c4910f8d51218a40577197f475e50519445680
                                                                  • Opcode Fuzzy Hash: 5342343f65012377d35eb1db9462d842a8161f74f23f79f3a7c8497bc6b599fd
                                                                  • Instruction Fuzzy Hash: D3F09631910A449AD7206B659C02FED67F0AF41376F25820CA424AB1C3CBFC6A815B55
                                                                  Function 012B4458 Relevance: 1.7, APIs: 1, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 012B3CC8: GetFileAttributesW.KERNELBASE(?), ref: 012B3CD3
                                                                  • CreateDirectoryW.KERNELBASE(?,00000000), ref: 012B4575
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1327811021.00000000012B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 012B3000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_12b3000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesCreateDirectoryFile
                                                                  • String ID:
                                                                  • API String ID: 3401506121-0
                                                                  • Opcode ID: 875e4113ae1cf33bd3103560008af28001e1c44058add95accb36785407f8daa
                                                                  • Instruction ID: 6cead8b79b97093cefa918d8adc30e5aa8502a383fdbda32868038b60ad62acc
                                                                  • Opcode Fuzzy Hash: 875e4113ae1cf33bd3103560008af28001e1c44058add95accb36785407f8daa
                                                                  • Instruction Fuzzy Hash: DF518331A2021997EF14EFA0C994BFF7379FF58340F04456CA609A7180EB799B45CBA5
                                                                  Function 000C0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 544645111-0
                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                  • Instruction ID: 73facd27680616ce91d7a4174792ffee224cffbc9e132f89019e4068a5f02592
                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                  • Instruction Fuzzy Hash: E831AEB0A00106DBD758DF58C4D5A6DFBA6FB59300B6487A9E80ACB356DA31EDC1DB80
                                                                  Function 000DFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 1473721057-0
                                                                  • Opcode ID: 6633332c2a42325240ed748eb461cf36d09f23877fd482acaa89967800ce361b
                                                                  • Instruction ID: e65bdd374efaa34dab4f4cd9a7c62290de46b948a143e9931a2d260fe45dc108
                                                                  • Opcode Fuzzy Hash: 6633332c2a42325240ed748eb461cf36d09f23877fd482acaa89967800ce361b
                                                                  • Instruction Fuzzy Hash: C2412974604341DFDB24DF64C444B5ABBE1BF46314F0988ACE89A8B762C735E845CF52
                                                                  Function 000A7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID:
                                                                  • API String ID: 4104443479-0
                                                                  • Opcode ID: a0ff24c84481f97127b737e857dc03636f418376c5c54b3ba3593c417f88a991
                                                                  • Instruction ID: 721cc74c077d82ed1dbee3e3c1afeebfbfd8633884d589361bd1eb51eb427e01
                                                                  • Opcode Fuzzy Hash: a0ff24c84481f97127b737e857dc03636f418376c5c54b3ba3593c417f88a991
                                                                  • Instruction Fuzzy Hash: 512128B2624B09EBDB249F55EC41BAD7BB4FF14351F21842EE44ACD290EB3091D0D765
                                                                  Function 000A4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 000A4BEF
                                                                    • Part of subcall function 000C525B: __wfsopen.LIBCMT ref: 000C5266
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,001652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000A4E0F
                                                                    • Part of subcall function 000A4B6A: FreeLibrary.KERNEL32(00000000), ref: 000A4BA4
                                                                    • Part of subcall function 000A4C70: _memmove.LIBCMT ref: 000A4CBA
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Free$Load__wfsopen_memmove
                                                                  • String ID:
                                                                  • API String ID: 1396898556-0
                                                                  • Opcode ID: 6c72e28629d56a2e38786cf2f01b54dce2acc1f98fc2c04bb5381a4f46a7506e
                                                                  • Instruction ID: faa69626b99dc57a90c5f63fab07a8ebddae0cb8a9f023205b879066e0ca09d9
                                                                  • Opcode Fuzzy Hash: 6c72e28629d56a2e38786cf2f01b54dce2acc1f98fc2c04bb5381a4f46a7506e
                                                                  • Instruction Fuzzy Hash: E7119439610205ABCF25EFB0C816FAD77A5AFC5710F10842DF541A7182EBF19951AB61
                                                                  Function 000DFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 1473721057-0
                                                                  • Opcode ID: d496380de66776fd854a8160dc4099239658b02f64f7975c78c58693d460af3e
                                                                  • Instruction ID: 33b92a0915eb0f8949d5a7300f1aa17d1a13909a3e8a3d5eca58f5fcdea834b1
                                                                  • Opcode Fuzzy Hash: d496380de66776fd854a8160dc4099239658b02f64f7975c78c58693d460af3e
                                                                  • Instruction Fuzzy Hash: E9215570A08341DFCB24DFA4C444B5ABBE0BF8A314F04886CF88A97762D731E805CB92
                                                                  Function 000C4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock_file.LIBCMT ref: 000C48A6
                                                                    • Part of subcall function 000C8B28: __getptd_noexit.LIBCMT ref: 000C8B28
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd_noexit__lock_file
                                                                  • String ID:
                                                                  • API String ID: 2597487223-0
                                                                  • Opcode ID: e7cedccf37411053e6f8e7226782e049d5afdc906ab730963c7284f347f28cd2
                                                                  • Instruction ID: 9ea78d38b8ca0117b12a1c99fa7aba926992e6e00dd8a772f6ae82af486397d1
                                                                  • Opcode Fuzzy Hash: e7cedccf37411053e6f8e7226782e049d5afdc906ab730963c7284f347f28cd2
                                                                  • Instruction Fuzzy Hash: 82F0AF31900609EBDF61AFA48C06FEE36A0BF11325F15851CB8249A1D2CF788955DB55
                                                                  Function 000A4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FreeLibrary.KERNEL32(?,?,001652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000A4E7E
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLibrary
                                                                  • String ID:
                                                                  • API String ID: 3664257935-0
                                                                  • Opcode ID: d174259adf8f52bd5ff39eb673f460f17b4f549bf5ba688e12aa7744d38338a2
                                                                  • Instruction ID: 8e429f0d3231673d06537ff244619b99410de60e9d4d88b3103787c97b6340a6
                                                                  • Opcode Fuzzy Hash: d174259adf8f52bd5ff39eb673f460f17b4f549bf5ba688e12aa7744d38338a2
                                                                  • Instruction Fuzzy Hash: D6F03079501711CFCB74DFA4D494816B7F1BF95329310893EE1D682610C7B19890DF40
                                                                  Function 000C0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000C07B0
                                                                    • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: LongNamePath_memmove
                                                                  • String ID:
                                                                  • API String ID: 2514874351-0
                                                                  • Opcode ID: 68796c99e377626d4fcd476d47834e9b4f946fa38e3c75f45a39f7b891e78d77
                                                                  • Instruction ID: d94b7b26942de2cb35feb4175e34b03067a4bdd9183bd6a543e94640d92f4db4
                                                                  • Opcode Fuzzy Hash: 68796c99e377626d4fcd476d47834e9b4f946fa38e3c75f45a39f7b891e78d77
                                                                  • Instruction Fuzzy Hash: 02E0867690422867C72196989C05FEAB7ADDB896A0F0441B6FC0CD7205D9609C9186A0
                                                                  Function 00108E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __fread_nolock
                                                                  • String ID:
                                                                  • API String ID: 2638373210-0
                                                                  • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                  • Instruction ID: 0e1a89ff798ae0a31bd84de40e36193586669f0a18486e3296780bfe5b1d33a3
                                                                  • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                  • Instruction Fuzzy Hash: 1EE092B0108B005BD7388E24D811BE373E1AB05305F00081DF2EA83242EBA278418759
                                                                  Function 012B3CC8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(?), ref: 012B3CD3
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1327811021.00000000012B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 012B3000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_12b3000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                  • Instruction ID: 6d5ae7c3fc9d381c54c56747b7e16cb4c05035d7889c47f72fd3ab648b2025f6
                                                                  • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                  • Instruction Fuzzy Hash: A5E08C3096520CEBDB10CAED8986AE9B7A8BB043A0F004654AA06C3280D5319A04D750
                                                                  Function 012B3C98 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(?), ref: 012B3CA3
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1327811021.00000000012B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 012B3000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_12b3000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                  • Instruction ID: 78a94902ee1fbcebb665624c481acbbe21d448905325a2255f9b86f776fa38f2
                                                                  • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                  • Instruction Fuzzy Hash: E0D0A73091520CEBCB10CFF99D049DD73A8E709360F004754FD15C3380E53199049794
                                                                  Function 000C525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __wfsopen
                                                                  • String ID:
                                                                  • API String ID: 197181222-0
                                                                  • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                  • Instruction ID: 79fc7c8b5094c04bb3d01e0bce02cdaabf0a287aa46b062146e50137f8bb9baa
                                                                  • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                  • Instruction Fuzzy Hash: 85B0927A44020C77CE012A82EC02F897B599B467A4F408020FB0C18162A673A6A49A89
                                                                  Function 012B5674 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNELBASE(000001F4), ref: 012B5689
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1327811021.00000000012B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 012B3000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_12b3000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                  • Instruction ID: eae7401a550ae47d30927833e29a3f96a600447f140f76ed731d4855b4b14ba1
                                                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                  • Instruction Fuzzy Hash: 9EE0BF7494010DEFDB00EFA4D9496DD7BB4EF04302F1005A1FD05D7680DB309E548A66
                                                                  Function 012B5678 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNELBASE(000001F4), ref: 012B5689
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1327811021.00000000012B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 012B3000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_12b3000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                  • Instruction ID: 2ee8fb32073893c079eef4e551fb7337a76a84bbc4ad73f0eca49d8d25be6b13
                                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                  • Instruction Fuzzy Hash: 83E0E67494010DDFDB00EFB4D9496DD7BB4EF04302F100161FD01D6280D6309D508A62

                                                                  Non-executed Functions

                                                                  Function 0012CABC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 632windowkeyboardnativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                  • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0012CB37
                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0012CB95
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0012CBD6
                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0012CC00
                                                                  • SendMessageW.USER32 ref: 0012CC29
                                                                  • _wcsncpy.LIBCMT ref: 0012CC95
                                                                  • GetKeyState.USER32(00000011), ref: 0012CCB6
                                                                  • GetKeyState.USER32(00000009), ref: 0012CCC3
                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0012CCD9
                                                                  • GetKeyState.USER32(00000010), ref: 0012CCE3
                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0012CD0C
                                                                  • SendMessageW.USER32 ref: 0012CD33
                                                                  • SendMessageW.USER32(?,00001030,?,0012B348), ref: 0012CE37
                                                                  • SetCapture.USER32(?), ref: 0012CE69
                                                                  • ClientToScreen.USER32(?,?), ref: 0012CECE
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0012CEF5
                                                                  • ReleaseCapture.USER32 ref: 0012CF00
                                                                  • GetCursorPos.USER32(?), ref: 0012CF3A
                                                                  • ScreenToClient.USER32(?,?), ref: 0012CF47
                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0012CFA3
                                                                  • SendMessageW.USER32 ref: 0012CFD1
                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0012D00E
                                                                  • SendMessageW.USER32 ref: 0012D03D
                                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0012D05E
                                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0012D06D
                                                                  • GetCursorPos.USER32(?), ref: 0012D08D
                                                                  • ScreenToClient.USER32(?,?), ref: 0012D09A
                                                                  • GetParent.USER32(?), ref: 0012D0BA
                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0012D123
                                                                  • SendMessageW.USER32 ref: 0012D154
                                                                  • ClientToScreen.USER32(?,?), ref: 0012D1B2
                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0012D1E2
                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0012D20C
                                                                  • SendMessageW.USER32 ref: 0012D22F
                                                                  • ClientToScreen.USER32(?,?), ref: 0012D281
                                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0012D2B5
                                                                    • Part of subcall function 000A25DB: GetWindowLongW.USER32(?,000000EB), ref: 000A25EC
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0012D351
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                                                  • String ID: @GUI_DRAGID$F
                                                                  • API String ID: 302779176-4164748364
                                                                  • Opcode ID: d5e31844b85cee8097bfc50c44467105254fe9bc3d5cd116ab3feab7ce351fe9
                                                                  • Instruction ID: 205474e86beb1f7b46aad5d7c43b2bdb60cc993470c47da2f8de426e37469521
                                                                  • Opcode Fuzzy Hash: d5e31844b85cee8097bfc50c44467105254fe9bc3d5cd116ab3feab7ce351fe9
                                                                  • Instruction Fuzzy Hash: 4442BB78204290AFD724CF28E844EAABBF6FF49350F14052DF695876A1C731D8A5DB92
                                                                  Function 000B6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove$_memset
                                                                  • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                  • API String ID: 1357608183-1798697756
                                                                  • Opcode ID: dc08cfaa5ec3cf425feb0da69614b75307364c593bb591f8b008d2e706239b1b
                                                                  • Instruction ID: d733d03c6cf22d27948ed5663daf13e379bc09a1a361f2bf0e7ed6dfb5189d7b
                                                                  • Opcode Fuzzy Hash: dc08cfaa5ec3cf425feb0da69614b75307364c593bb591f8b008d2e706239b1b
                                                                  • Instruction Fuzzy Hash: 6D939371A04219DBDB24CF58C881BFDB7F1FF48710F25816AEA49AB691E7709E81DB40
                                                                  Function 000A48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32(00000000,?), ref: 000A48DF
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000DD665
                                                                  • IsIconic.USER32(?), ref: 000DD66E
                                                                  • ShowWindow.USER32(?,00000009), ref: 000DD67B
                                                                  • SetForegroundWindow.USER32(?), ref: 000DD685
                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000DD69B
                                                                  • GetCurrentThreadId.KERNEL32 ref: 000DD6A2
                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 000DD6AE
                                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 000DD6BF
                                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 000DD6C7
                                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 000DD6CF
                                                                  • SetForegroundWindow.USER32(?), ref: 000DD6D2
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 000DD6E7
                                                                  • keybd_event.USER32(00000012,00000000), ref: 000DD6F2
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 000DD6FC
                                                                  • keybd_event.USER32(00000012,00000000), ref: 000DD701
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 000DD70A
                                                                  • keybd_event.USER32(00000012,00000000), ref: 000DD70F
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 000DD719
                                                                  • keybd_event.USER32(00000012,00000000), ref: 000DD71E
                                                                  • SetForegroundWindow.USER32(?), ref: 000DD721
                                                                  • AttachThreadInput.USER32(?,?,00000000), ref: 000DD748
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 4125248594-2988720461
                                                                  • Opcode ID: 4a9d35db9c7924c9560f03eb59a3298b85b5c33892e6959e9b5ff08cda7c4abb
                                                                  • Instruction ID: 3520ac04ace02de6f8100b92f5b49d9fda90f3374a5f078f4f62f735c40fa498
                                                                  • Opcode Fuzzy Hash: 4a9d35db9c7924c9560f03eb59a3298b85b5c33892e6959e9b5ff08cda7c4abb
                                                                  • Instruction Fuzzy Hash: F6317371A40318BAEB306F619C49F7F7E7CEB44B50F10407AFA04EA1D1D6B05952AAA0
                                                                  Function 0010C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0010C78D
                                                                  • FindClose.KERNEL32(00000000), ref: 0010C7E1
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0010C806
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0010C81D
                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0010C844
                                                                  • __swprintf.LIBCMT ref: 0010C890
                                                                  • __swprintf.LIBCMT ref: 0010C8D3
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                  • __swprintf.LIBCMT ref: 0010C927
                                                                    • Part of subcall function 000C3698: __woutput_l.LIBCMT ref: 000C36F1
                                                                  • __swprintf.LIBCMT ref: 0010C975
                                                                    • Part of subcall function 000C3698: __flsbuf.LIBCMT ref: 000C3713
                                                                    • Part of subcall function 000C3698: __flsbuf.LIBCMT ref: 000C372B
                                                                  • __swprintf.LIBCMT ref: 0010C9C4
                                                                  • __swprintf.LIBCMT ref: 0010CA13
                                                                  • __swprintf.LIBCMT ref: 0010CA62
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                  • API String ID: 3953360268-2428617273
                                                                  • Opcode ID: 3ce5014c1b8c577d114a536475918ce5508d4b36aae24739b1366bdd04fc9eda
                                                                  • Instruction ID: 10c65735e99426d7c21e78a207fc0033d63cdedb763c409ee5bc016f8e5c3d13
                                                                  • Opcode Fuzzy Hash: 3ce5014c1b8c577d114a536475918ce5508d4b36aae24739b1366bdd04fc9eda
                                                                  • Instruction Fuzzy Hash: D1A11BB1508304ABC714EFA4C885EEFB7ECBF95704F40492DF59586192EB34DA49CBA2
                                                                  Function 0010EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 0010EFB6
                                                                  • _wcscmp.LIBCMT ref: 0010EFCB
                                                                  • _wcscmp.LIBCMT ref: 0010EFE2
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 0010EFF4
                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 0010F00E
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0010F026
                                                                  • FindClose.KERNEL32(00000000), ref: 0010F031
                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0010F04D
                                                                  • _wcscmp.LIBCMT ref: 0010F074
                                                                  • _wcscmp.LIBCMT ref: 0010F08B
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0010F09D
                                                                  • SetCurrentDirectoryW.KERNEL32(00158920), ref: 0010F0BB
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0010F0C5
                                                                  • FindClose.KERNEL32(00000000), ref: 0010F0D2
                                                                  • FindClose.KERNEL32(00000000), ref: 0010F0E4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                  • String ID: *.*
                                                                  • API String ID: 1803514871-438819550
                                                                  • Opcode ID: 9220c0595c408df891f30750fe2bcbbf2ba49d13c6e21ed8f41e60d2b6bff9db
                                                                  • Instruction ID: b9c35c9530647fc240f92b466d06eb6a603843f6b965585d04625c819738289c
                                                                  • Opcode Fuzzy Hash: 9220c0595c408df891f30750fe2bcbbf2ba49d13c6e21ed8f41e60d2b6bff9db
                                                                  • Instruction Fuzzy Hash: 9F31E532500219BACB34EFA4DC49EEE77ADAF45360F10417DF840E24D1DBB0DA96CA51
                                                                  Function 00120857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00120953
                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,0012F910,00000000,?,00000000,?,?), ref: 001209C1
                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00120A09
                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00120A92
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00120DB2
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00120DBF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Close$ConnectCreateRegistryValue
                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                  • API String ID: 536824911-966354055
                                                                  • Opcode ID: 53ba5d63142b2515dc82b117fcdeafdb5195dcf4b1af475a2e3ff3580668348c
                                                                  • Instruction ID: 2ceaa1aa7235d837f086b1eb09f11b0c869dc129abe775060d05e91abad832b2
                                                                  • Opcode Fuzzy Hash: 53ba5d63142b2515dc82b117fcdeafdb5195dcf4b1af475a2e3ff3580668348c
                                                                  • Instruction Fuzzy Hash: 30028A756006119FCB15EF64D881E6AB7E5FF8A710F04895CF88A9B7A2CB34EC51CB81
                                                                  Function 0012C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                  • DragQueryPoint.SHELL32(?,?), ref: 0012C627
                                                                    • Part of subcall function 0012AB37: ClientToScreen.USER32(?,?), ref: 0012AB60
                                                                    • Part of subcall function 0012AB37: GetWindowRect.USER32(?,?), ref: 0012ABD6
                                                                    • Part of subcall function 0012AB37: PtInRect.USER32(?,?,0012C014), ref: 0012ABE6
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0012C690
                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0012C69B
                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0012C6BE
                                                                  • _wcscat.LIBCMT ref: 0012C6EE
                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0012C705
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0012C71E
                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0012C735
                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0012C757
                                                                  • DragFinish.SHELL32(?), ref: 0012C75E
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0012C851
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                  • API String ID: 2166380349-3440237614
                                                                  • Opcode ID: 2e2ee6940a160a3d77643b73d86cfff588bd02347dc7bdf6d11a2011f377a03e
                                                                  • Instruction ID: 53e398dfe3ae870e1078013a50e30bcf1e52a9f290a71e1023af37064488bd38
                                                                  • Opcode Fuzzy Hash: 2e2ee6940a160a3d77643b73d86cfff588bd02347dc7bdf6d11a2011f377a03e
                                                                  • Instruction Fuzzy Hash: C1618D71108300AFC711EFA4DC85DAFBBF8EF89310F40492EF695961A1DB709959CB92
                                                                  Function 0010F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 0010F113
                                                                  • _wcscmp.LIBCMT ref: 0010F128
                                                                  • _wcscmp.LIBCMT ref: 0010F13F
                                                                    • Part of subcall function 00104385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001043A0
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0010F16E
                                                                  • FindClose.KERNEL32(00000000), ref: 0010F179
                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0010F195
                                                                  • _wcscmp.LIBCMT ref: 0010F1BC
                                                                  • _wcscmp.LIBCMT ref: 0010F1D3
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0010F1E5
                                                                  • SetCurrentDirectoryW.KERNEL32(00158920), ref: 0010F203
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0010F20D
                                                                  • FindClose.KERNEL32(00000000), ref: 0010F21A
                                                                  • FindClose.KERNEL32(00000000), ref: 0010F22C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                  • String ID: *.*
                                                                  • API String ID: 1824444939-438819550
                                                                  • Opcode ID: 53145d07fe1e814827adfdd209701f9e43d3eec4d0f153cac5551e46cc955732
                                                                  • Instruction ID: 62b3728151950138e5f7d1ba2c3b8865e1e97ca1752441598d3c92cdc73b2e43
                                                                  • Opcode Fuzzy Hash: 53145d07fe1e814827adfdd209701f9e43d3eec4d0f153cac5551e46cc955732
                                                                  • Instruction Fuzzy Hash: 5131C236500219BADB30AFA4EC4AEEE77BCAF45360F14417DE850A24E1DB70DA97CA54
                                                                  Function 0010A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0010A20F
                                                                  • __swprintf.LIBCMT ref: 0010A231
                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0010A26E
                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0010A293
                                                                  • _memset.LIBCMT ref: 0010A2B2
                                                                  • _wcsncpy.LIBCMT ref: 0010A2EE
                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0010A323
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0010A32E
                                                                  • RemoveDirectoryW.KERNEL32(?), ref: 0010A337
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0010A341
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                  • String ID: :$\$\??\%s
                                                                  • API String ID: 2733774712-3457252023
                                                                  • Opcode ID: fa6013f0fdf4142c922a24b7807e89978cc870212254a878642e5c887c5a9e5c
                                                                  • Instruction ID: 6ef63c7b5f714530ca7b8d0d17f9f7878a20bca45cf9bcb84401690bfc85cb2c
                                                                  • Opcode Fuzzy Hash: fa6013f0fdf4142c922a24b7807e89978cc870212254a878642e5c887c5a9e5c
                                                                  • Instruction Fuzzy Hash: 3231A075500209ABDB20DFA0DC49FEB37BCFF89740F5041BAF509D61A1EB7096968B25
                                                                  Function 0012C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0012C1FC
                                                                  • GetFocus.USER32 ref: 0012C20C
                                                                  • GetDlgCtrlID.USER32(00000000), ref: 0012C217
                                                                  • _memset.LIBCMT ref: 0012C342
                                                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0012C36D
                                                                  • GetMenuItemCount.USER32(?), ref: 0012C38D
                                                                  • GetMenuItemID.USER32(?,00000000), ref: 0012C3A0
                                                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0012C3D4
                                                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0012C41C
                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0012C454
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0012C489
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                                                  • String ID: 0
                                                                  • API String ID: 3616455698-4108050209
                                                                  • Opcode ID: 3c1dab43a40fdd489db5d6d3de475526ed2bd5d8e437e930881abfa02162f84e
                                                                  • Instruction ID: d06eb7d21d80e3fe9ef9c4c72179cc55d8ec4fe09c74b344849f7cdc9fec42b6
                                                                  • Opcode Fuzzy Hash: 3c1dab43a40fdd489db5d6d3de475526ed2bd5d8e437e930881abfa02162f84e
                                                                  • Instruction Fuzzy Hash: 9381B270108361AFD720DF14E884AAFBBE9FF88314F104A2DFA8597291D770D965CB92
                                                                  Function 000F7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000F8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000F821E
                                                                    • Part of subcall function 000F8202: GetLastError.KERNEL32(?,000F7CE2,?,?,?), ref: 000F8228
                                                                    • Part of subcall function 000F8202: GetProcessHeap.KERNEL32(00000008,?,?,000F7CE2,?,?,?), ref: 000F8237
                                                                    • Part of subcall function 000F8202: RtlAllocateHeap.NTDLL(00000000,?,000F7CE2), ref: 000F823E
                                                                    • Part of subcall function 000F8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000F8255
                                                                    • Part of subcall function 000F829F: GetProcessHeap.KERNEL32(00000008,000F7CF8,00000000,00000000,?,000F7CF8,?), ref: 000F82AB
                                                                    • Part of subcall function 000F829F: RtlAllocateHeap.NTDLL(00000000,?,000F7CF8), ref: 000F82B2
                                                                    • Part of subcall function 000F829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000F7CF8,?), ref: 000F82C3
                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000F7D13
                                                                  • _memset.LIBCMT ref: 000F7D28
                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000F7D47
                                                                  • GetLengthSid.ADVAPI32(?), ref: 000F7D58
                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 000F7D95
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000F7DB1
                                                                  • GetLengthSid.ADVAPI32(?), ref: 000F7DCE
                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000F7DDD
                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 000F7DE4
                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 000F7E05
                                                                  • CopySid.ADVAPI32(00000000), ref: 000F7E0C
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000F7E3D
                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000F7E63
                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 000F7E77
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                  • String ID:
                                                                  • API String ID: 2347767575-0
                                                                  • Opcode ID: a2d456be6964b525baad2de7101dc617b8c557cde0ff8c30cfbb9ba622b90170
                                                                  • Instruction ID: 39f0ee950ead71acad7d5baac1c2734aa0494d9eaa17ca96b579493f657d73ea
                                                                  • Opcode Fuzzy Hash: a2d456be6964b525baad2de7101dc617b8c557cde0ff8c30cfbb9ba622b90170
                                                                  • Instruction Fuzzy Hash: D9615C71900109AFDF108FA0DC44EFEBBBAFF08300F04816EF915A6691DB319A16DB61
                                                                  Function 000B66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                  • API String ID: 0-4052911093
                                                                  • Opcode ID: 9b208c9b77af1ee7d76a7f6ff931609cf7f6a25597bca6f86b55b41e0f518b66
                                                                  • Instruction ID: b9ec638008235cad03d62d521700c0c9564821c32a802ea071ffb82ff36b8c73
                                                                  • Opcode Fuzzy Hash: 9b208c9b77af1ee7d76a7f6ff931609cf7f6a25597bca6f86b55b41e0f518b66
                                                                  • Instruction Fuzzy Hash: 91725C71E00219DBDB64CF58C880BFEB7F5EF44710F14816AE909EB691EB359A81DB90
                                                                  Function 0010001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?), ref: 00100097
                                                                  • SetKeyboardState.USER32(?), ref: 00100102
                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00100122
                                                                  • GetKeyState.USER32(000000A0), ref: 00100139
                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00100168
                                                                  • GetKeyState.USER32(000000A1), ref: 00100179
                                                                  • GetAsyncKeyState.USER32(00000011), ref: 001001A5
                                                                  • GetKeyState.USER32(00000011), ref: 001001B3
                                                                  • GetAsyncKeyState.USER32(00000012), ref: 001001DC
                                                                  • GetKeyState.USER32(00000012), ref: 001001EA
                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00100213
                                                                  • GetKeyState.USER32(0000005B), ref: 00100221
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: State$Async$Keyboard
                                                                  • String ID:
                                                                  • API String ID: 541375521-0
                                                                  • Opcode ID: ec5c7b734beead219239852d874e9b7a4b4616eda44504ceb64dfb172709df93
                                                                  • Instruction ID: 5d89068efea53e897070c371b72b07cbf311b847ad10fbaaf7e4df28d8426f52
                                                                  • Opcode Fuzzy Hash: ec5c7b734beead219239852d874e9b7a4b4616eda44504ceb64dfb172709df93
                                                                  • Instruction Fuzzy Hash: 9851DA3090478829FB36DBA089547EABFB49F16380F08459ED9C65A5C3DBE4DB8CC761
                                                                  Function 001203DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00120E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011FDAD,?,?), ref: 00120E31
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001204AC
                                                                    • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                                    • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0012054B
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001205E3
                                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00120822
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0012082F
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 1240663315-0
                                                                  • Opcode ID: 5a184a31ca51748f264cf2f53a03f9049a2fdbd8cfd48c427e776bb5cab9ed2a
                                                                  • Instruction ID: cb8d0d65ecf08438f2e9c59bea6e320ef525eb8b14526f709d305a28b49ef643
                                                                  • Opcode Fuzzy Hash: 5a184a31ca51748f264cf2f53a03f9049a2fdbd8cfd48c427e776bb5cab9ed2a
                                                                  • Instruction Fuzzy Hash: 46E16B30604214AFCB15DF28D891E6BBBE5EF89714F04896DF84ADB262DB30ED11CB91
                                                                  Function 00114164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                  • String ID:
                                                                  • API String ID: 1737998785-0
                                                                  • Opcode ID: 2e0b2c5b486374593c6170fffb42b2971c59a377ad068c1b1ae10f0b7e15228a
                                                                  • Instruction ID: 2a042398e30bca425458c08fb1f65ee3eb39967d14a98a01c4782602f33a0c1b
                                                                  • Opcode Fuzzy Hash: 2e0b2c5b486374593c6170fffb42b2971c59a377ad068c1b1ae10f0b7e15228a
                                                                  • Instruction Fuzzy Hash: CF21A335700210AFDB14AF64EC19BAD7BB8EF05B10F148039F946DB6A2DB74AC92CB54
                                                                  Function 001037EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A4743,?,?,000A37AE,?), ref: 000A4770
                                                                    • Part of subcall function 00104A31: GetFileAttributesW.KERNEL32(?,0010370B), ref: 00104A32
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 001038A3
                                                                  • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0010394B
                                                                  • MoveFileW.KERNEL32(?,?), ref: 0010395E
                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0010397B
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0010399D
                                                                  • FindClose.KERNEL32(00000000,?,?,?,?), ref: 001039B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                  • String ID: \*.*
                                                                  • API String ID: 4002782344-1173974218
                                                                  • Opcode ID: d44bde46c9819cc483733a86dafa687684805078d949280f02017c422f395ad6
                                                                  • Instruction ID: c12cc7cba50047ab064635cde0872412482bba6ec27730997c5b75140f654532
                                                                  • Opcode Fuzzy Hash: d44bde46c9819cc483733a86dafa687684805078d949280f02017c422f395ad6
                                                                  • Instruction Fuzzy Hash: F551AD3180414CAACF15EBE0CE929EEB779AF16305F604069E456B71D2EFB06F09CB60
                                                                  Function 0010F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                  • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0010F440
                                                                  • Sleep.KERNEL32(0000000A), ref: 0010F470
                                                                  • _wcscmp.LIBCMT ref: 0010F484
                                                                  • _wcscmp.LIBCMT ref: 0010F49F
                                                                  • FindNextFileW.KERNEL32(?,?), ref: 0010F53D
                                                                  • FindClose.KERNEL32(00000000), ref: 0010F553
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                  • String ID: *.*
                                                                  • API String ID: 713712311-438819550
                                                                  • Opcode ID: 79eb9bd372303ada8cbc3834b940c2666485d98fe9745054078f766f96bf3f68
                                                                  • Instruction ID: 33f7bd9061cdc92a3c989d356cee1d8c4eb75e9ed624da8c797bf36fe85b9011
                                                                  • Opcode Fuzzy Hash: 79eb9bd372303ada8cbc3834b940c2666485d98fe9745054078f766f96bf3f68
                                                                  • Instruction Fuzzy Hash: DB417F71900219AFCF24DFA4DC4AAEEBBB4FF05310F10846AE855A75D1DB709A96CB50
                                                                  Function 0012D43E Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                  • GetSystemMetrics.USER32(0000000F), ref: 0012D47C
                                                                  • GetSystemMetrics.USER32(0000000F), ref: 0012D49C
                                                                  • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0012D6D7
                                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0012D6F5
                                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0012D716
                                                                  • ShowWindow.USER32(00000003,00000000), ref: 0012D735
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0012D75A
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0012D77D
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                                                  • String ID:
                                                                  • API String ID: 830902736-0
                                                                  • Opcode ID: 5a02fc780d87115e628c760441d1a78e59c52741a7fb61775365477b0b7cf325
                                                                  • Instruction ID: c13d29f524aa1895475018a2b30a5c0cc64b26be923e3323b352109bb149a0a0
                                                                  • Opcode Fuzzy Hash: 5a02fc780d87115e628c760441d1a78e59c52741a7fb61775365477b0b7cf325
                                                                  • Instruction Fuzzy Hash: ADB18A71600225EFDF18CF68E9C5BAD7BB1FF04705F088169EC489B695DB74A9A0CB90
                                                                  Function 000FE616 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 561stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 000FE628
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen
                                                                  • String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
                                                                  • API String ID: 1659193697-2318614619
                                                                  • Opcode ID: a0226b0488c534f0113590f734022ef272cbd7bbea38ee84fed4decff9e3ea67
                                                                  • Instruction ID: ba49bb11306aae3db3ff449f7e80ffab1d46260076a586a9f0dd4c687da1e2ac
                                                                  • Opcode Fuzzy Hash: a0226b0488c534f0113590f734022ef272cbd7bbea38ee84fed4decff9e3ea67
                                                                  • Instruction Fuzzy Hash: 11323575A047099FD728DF19C4819AAB7F0FF48310B15C46EE99ADB7A2E770E941CB40
                                                                  Function 000B5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID:
                                                                  • API String ID: 4104443479-0
                                                                  • Opcode ID: 221549705d2c9b07ecd506f700ca42d83810e5807a444acfb75582a731149ad4
                                                                  • Instruction ID: 683505eb2e22e9882b20a463c059e41f37d2e3e224788b12c755729d11e30815
                                                                  • Opcode Fuzzy Hash: 221549705d2c9b07ecd506f700ca42d83810e5807a444acfb75582a731149ad4
                                                                  • Instruction Fuzzy Hash: 4D12A970A00A09DFDF14DFA4D981AEEB7F5FF48301F108569E846E7292EB36A910CB50
                                                                  Function 00103B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A4743,?,?,000A37AE,?), ref: 000A4770
                                                                    • Part of subcall function 00104A31: GetFileAttributesW.KERNEL32(?,0010370B), ref: 00104A32
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00103B89
                                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 00103BD9
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00103BEA
                                                                  • FindClose.KERNEL32(00000000), ref: 00103C01
                                                                  • FindClose.KERNEL32(00000000), ref: 00103C0A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                  • String ID: \*.*
                                                                  • API String ID: 2649000838-1173974218
                                                                  • Opcode ID: 1960021dd6fd83d8b40d0897554ad19cb07fb91e2ab093dacae29e3377c1a7cf
                                                                  • Instruction ID: 0337001aa5229c1c47bece9717a54c107bec3505c6ffd978c67a2bb8f8da2a94
                                                                  • Opcode Fuzzy Hash: 1960021dd6fd83d8b40d0897554ad19cb07fb91e2ab093dacae29e3377c1a7cf
                                                                  • Instruction Fuzzy Hash: ED316D31008385ABC305EF64C9919EFB7ACBF96315F404D2EF4E592192EB61DA09C763
                                                                  Function 001051BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000F87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000F882B
                                                                    • Part of subcall function 000F87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000F8858
                                                                    • Part of subcall function 000F87E1: GetLastError.KERNEL32 ref: 000F8865
                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 001051F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                  • String ID: $@$SeShutdownPrivilege
                                                                  • API String ID: 2234035333-194228
                                                                  • Opcode ID: c530ff0f6d2904aa7f9765eb474869ee0156d86d16bb8f6cbe98ddc4e3822db4
                                                                  • Instruction ID: 37eb5fdb8bda11da06ed03a210ea1fb6f9297fc9f375b8981da266e9f2b40c0b
                                                                  • Opcode Fuzzy Hash: c530ff0f6d2904aa7f9765eb474869ee0156d86d16bb8f6cbe98ddc4e3822db4
                                                                  • Instruction Fuzzy Hash: 8301F735691615FBE73C62689C8AFFB726AEF05740F204534F993E24D3DBD15C428990
                                                                  Function 00116283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 001162DC
                                                                  • WSAGetLastError.WS2_32(00000000), ref: 001162EB
                                                                  • bind.WS2_32(00000000,?,00000010), ref: 00116307
                                                                  • listen.WS2_32(00000000,00000005), ref: 00116316
                                                                  • WSAGetLastError.WS2_32(00000000), ref: 00116330
                                                                  • closesocket.WS2_32(00000000), ref: 00116344
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                                  • String ID:
                                                                  • API String ID: 1279440585-0
                                                                  • Opcode ID: 8bb2400dbf97be2cd4aec68968187e5b6874e5d62e0aa7c364b1a27938d516b7
                                                                  • Instruction ID: 7dc5e1540538ba062753a14df2d3847bc9391dfecea56cee43861f43bdd8b8c1
                                                                  • Opcode Fuzzy Hash: 8bb2400dbf97be2cd4aec68968187e5b6874e5d62e0aa7c364b1a27938d516b7
                                                                  • Instruction Fuzzy Hash: BE21D534600204AFCB14EF64C945BAEB7B9EF45710F14416CE916A7392CB70AC82CB61
                                                                  Function 000B5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000C0DB6: std::exception::exception.LIBCMT ref: 000C0DEC
                                                                    • Part of subcall function 000C0DB6: __CxxThrowException@8.LIBCMT ref: 000C0E01
                                                                  • _memmove.LIBCMT ref: 000F0258
                                                                  • _memmove.LIBCMT ref: 000F036D
                                                                  • _memmove.LIBCMT ref: 000F0414
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 1300846289-0
                                                                  • Opcode ID: 3605413f2e3a52b35b7e3e64f70fcba7e6578b859c4e872103edefdd27321e42
                                                                  • Instruction ID: 0ecf445945182d8afba60e13d9aa2276c51ad2ce9969de3cef10f954b723a012
                                                                  • Opcode Fuzzy Hash: 3605413f2e3a52b35b7e3e64f70fcba7e6578b859c4e872103edefdd27321e42
                                                                  • Instruction Fuzzy Hash: 3A029FB0A00209DBCF14DF64D981ABEBBF5FF44300F1480A9E90ADB256EB35DA54DB91
                                                                  Function 000A1287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                  • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 000A19FA
                                                                  • GetSysColor.USER32(0000000F), ref: 000A1A4E
                                                                  • SetBkColor.GDI32(?,00000000), ref: 000A1A61
                                                                    • Part of subcall function 000A1290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 000A12D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ColorDialogNtdllProc_$LongWindow
                                                                  • String ID:
                                                                  • API String ID: 591255283-0
                                                                  • Opcode ID: 002683cf05a409f4d8f973307355b69daf830bc1d469b9b630149bbf429762cb
                                                                  • Instruction ID: 68ac22870946b65c35a23ad13c41867a6ac9da8bca02bfd957c7554854e5ea69
                                                                  • Opcode Fuzzy Hash: 002683cf05a409f4d8f973307355b69daf830bc1d469b9b630149bbf429762cb
                                                                  • Instruction Fuzzy Hash: ADA17870106694FAEB38ABA99C54EFF35DDDF67341F15021AF102D6692CB208D51D2B3
                                                                  Function 0010BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0010BCE6
                                                                  • _wcscmp.LIBCMT ref: 0010BD16
                                                                  • _wcscmp.LIBCMT ref: 0010BD2B
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0010BD3C
                                                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0010BD6C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File_wcscmp$CloseFirstNext
                                                                  • String ID:
                                                                  • API String ID: 2387731787-0
                                                                  • Opcode ID: 5d8930d5927a4aac2039ae7b076ed489225a964e212a2d3a2ee73eac73aa6128
                                                                  • Instruction ID: 6c438e3204830086cb202b08813790e7ad8f927d228ccfadc91c8ba55b8be89f
                                                                  • Opcode Fuzzy Hash: 5d8930d5927a4aac2039ae7b076ed489225a964e212a2d3a2ee73eac73aa6128
                                                                  • Instruction Fuzzy Hash: 93515E356086019FC718DFA8C4D0E9AB3E4EF49314F10462DE996873A2DB70ED05CB91
                                                                  Function 00116747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00117D8B: inet_addr.WS2_32(00000000), ref: 00117DB6
                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 0011679E
                                                                  • WSAGetLastError.WS2_32(00000000), ref: 001167C7
                                                                  • bind.WS2_32(00000000,?,00000010), ref: 00116800
                                                                  • WSAGetLastError.WS2_32(00000000), ref: 0011680D
                                                                  • closesocket.WS2_32(00000000), ref: 00116821
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                  • String ID:
                                                                  • API String ID: 99427753-0
                                                                  • Opcode ID: 9e2b5483dd7676de230afb08356ed42cbabc3834929e1a3db8b3b003f1988133
                                                                  • Instruction ID: ba69bfe317ffd7b74da3f337b960589a89af805e68fd3da55a240050934df0bf
                                                                  • Opcode Fuzzy Hash: 9e2b5483dd7676de230afb08356ed42cbabc3834929e1a3db8b3b003f1988133
                                                                  • Instruction Fuzzy Hash: 6441C275B00210AFDB14AFA48C86FAE77A89B06B14F04856CF915AB3D3CB749D4187A1
                                                                  Function 00125376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                  • String ID:
                                                                  • API String ID: 292994002-0
                                                                  • Opcode ID: e3812b28f3d60630d05b92e6f7681c2f6b16cc273df1538e6aa968e2d036ca1a
                                                                  • Instruction ID: 258cdd526eedf400695325b1fe32c138869f48a4dbaee3f27ac98b02a3dfa642
                                                                  • Opcode Fuzzy Hash: e3812b28f3d60630d05b92e6f7681c2f6b16cc273df1538e6aa968e2d036ca1a
                                                                  • Instruction Fuzzy Hash: 3711C8317009216FD721AF26AC84A6EBBAAFF457A1F41403CF845D3242DB74DC6386A0
                                                                  Function 000F80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000F80C0
                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000F80CA
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000F80D9
                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 000F80E0
                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000F80F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 47921759-0
                                                                  • Opcode ID: 406f409ee556390b64a012a85a02e37a00717c8ac68e7ab88b4dee4efe901cfd
                                                                  • Instruction ID: f626b4362b8d86dddf93aae4adddac20f6b69aa825831d3bcf81cf267f52fdf2
                                                                  • Opcode Fuzzy Hash: 406f409ee556390b64a012a85a02e37a00717c8ac68e7ab88b4dee4efe901cfd
                                                                  • Instruction Fuzzy Hash: F5F03C35240208BFEB204FA5EC89EB73BADFF49755F504139FA4586550CB619C93EB60
                                                                  Function 0010C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32(00000000), ref: 0010C432
                                                                  • CoCreateInstance.COMBASE(00132D6C,00000000,00000001,00132BDC,?), ref: 0010C44A
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                  • CoUninitialize.COMBASE ref: 0010C6B7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                  • String ID: .lnk
                                                                  • API String ID: 2683427295-24824748
                                                                  • Opcode ID: bbb31f09ce329a2e88a72a00d71cc745d93f99239ea8717c9395b2cde6977519
                                                                  • Instruction ID: 901dd1ac92cd183b71291b989ace9cb0396ab777f20f33c4f0ca8ff5b3d68654
                                                                  • Opcode Fuzzy Hash: bbb31f09ce329a2e88a72a00d71cc745d93f99239ea8717c9395b2cde6977519
                                                                  • Instruction Fuzzy Hash: 3FA12B71204205AFD700EF94CC81EABB7E8FF95354F00492DF5959B1A2DB71EA49CB62
                                                                  Function 000A4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,000A4AD0), ref: 000A4B45
                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000A4B57
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                  • API String ID: 2574300362-192647395
                                                                  • Opcode ID: b69cb3464d1ae1104106cd3a6e954355440f31bb72c1c9bd6f3fbd40567f4eee
                                                                  • Instruction ID: dbea9d3e8c441ddedae786154ecd998a7aae15d51b2f64f58b5e045ef4d8af95
                                                                  • Opcode Fuzzy Hash: b69cb3464d1ae1104106cd3a6e954355440f31bb72c1c9bd6f3fbd40567f4eee
                                                                  • Instruction Fuzzy Hash: E5D01234A10723DFD7209F71E818B06B6F4AF45751F11883D9485D6550D7B0D4E1C664
                                                                  Function 000B3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 674341424-0
                                                                  • Opcode ID: 267c4182c70bcd8c89355e1c6581e80d9d0aed9459705126cfda210d9b842439
                                                                  • Instruction ID: 447cee5c011a2e962d570d6a41d3fa10c39ec50250330422062d10ab94146a84
                                                                  • Opcode Fuzzy Hash: 267c4182c70bcd8c89355e1c6581e80d9d0aed9459705126cfda210d9b842439
                                                                  • Instruction Fuzzy Hash: 7F22AB716083409FC724DF64D891BAFB7E4AF85710F14492DF89AA7292DB71EA04CB92
                                                                  Function 0011EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 0011EE3D
                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0011EE4B
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 0011EF0B
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0011EF1A
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                  • String ID:
                                                                  • API String ID: 2576544623-0
                                                                  • Opcode ID: 992ac426a88f15d0d7e1dcb70298edf5e161b63f95ba49244110774e6061ed2f
                                                                  • Instruction ID: dd210cc4e94cd060da7a7be99b1c798e3f9e7af28f304888af57d17fbb465a93
                                                                  • Opcode Fuzzy Hash: 992ac426a88f15d0d7e1dcb70298edf5e161b63f95ba49244110774e6061ed2f
                                                                  • Instruction Fuzzy Hash: 6B51A071504301AFD324EF60DC81EABB7E8FF95700F40482DF895972A2EB70A949CB92
                                                                  Function 0012C498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                  • GetCursorPos.USER32(?), ref: 0012C4D2
                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000DB9AB,?,?,?,?,?), ref: 0012C4E7
                                                                  • GetCursorPos.USER32(?), ref: 0012C534
                                                                  • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,000DB9AB,?,?,?), ref: 0012C56E
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                                                  • String ID:
                                                                  • API String ID: 1423138444-0
                                                                  • Opcode ID: 583b5e3ff653256550588b4379688fac6e27758830a0501462ba9d941dcc3431
                                                                  • Instruction ID: eec2d8ec2135ab01430963bd500ca2741eba1228f5aff9c1b9fee6b423fe7600
                                                                  • Opcode Fuzzy Hash: 583b5e3ff653256550588b4379688fac6e27758830a0501462ba9d941dcc3431
                                                                  • Instruction Fuzzy Hash: FA31B435600068BFCB258F58E858DEE7BF6EB09350F044069FA0587661C731A961DFD4
                                                                  Function 000F85B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000F85E2
                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 000F85E9
                                                                  • CloseHandle.KERNEL32(00000004), ref: 000F8603
                                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000F8632
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                                                  • String ID:
                                                                  • API String ID: 2621361867-0
                                                                  • Opcode ID: ddaaf8035a2251a652d1c96195e15972d5413f156c8279b465996bffef71da6b
                                                                  • Instruction ID: f15c9fd57b6e051c475664fb30ab55a610d7679d13ec704e559d0b92dfb26932
                                                                  • Opcode Fuzzy Hash: ddaaf8035a2251a652d1c96195e15972d5413f156c8279b465996bffef71da6b
                                                                  • Instruction Fuzzy Hash: 3F114A7250024DBBDF118FA4ED49FEE7BB9EB08704F048069FE04A2560C6718D62EB60
                                                                  Function 000A1290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 000A12D8
                                                                  • GetClientRect.USER32(?,?), ref: 000DB5FB
                                                                  • GetCursorPos.USER32(?), ref: 000DB605
                                                                  • ScreenToClient.USER32(?,?), ref: 000DB610
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                                                  • String ID:
                                                                  • API String ID: 1010295502-0
                                                                  • Opcode ID: e2997cbd315e377451ff5494eb1edb616915c6e83bb869a9c8411c91229234d2
                                                                  • Instruction ID: 4e9fb81fd9debc5113908d95c8a3cb4207f6ee9ff4400a848ac7bed76d54a8b2
                                                                  • Opcode Fuzzy Hash: e2997cbd315e377451ff5494eb1edb616915c6e83bb869a9c8411c91229234d2
                                                                  • Instruction Fuzzy Hash: C7110A39500519FFCB10DF98D985AFE77B9EB06301F500466F901E7651D730FAA28BA5
                                                                  Function 001122EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0011180A,00000000), ref: 001123E1
                                                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00112418
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$AvailableDataFileQueryRead
                                                                  • String ID:
                                                                  • API String ID: 599397726-0
                                                                  • Opcode ID: ae301d69e4d883f696e3e88066c75c2e36acfd266b7dde377a6ab928aa23456a
                                                                  • Instruction ID: 52b5e7cc0488f5feb5f46e869617420a2092106a18485fe44f1c271dca979a86
                                                                  • Opcode Fuzzy Hash: ae301d69e4d883f696e3e88066c75c2e36acfd266b7dde377a6ab928aa23456a
                                                                  • Instruction Fuzzy Hash: DF41D071A04209BFEB289B95DC81FFFB7ACEB44314F10403EF611A6541EB749EA19660
                                                                  Function 0010B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0010B343
                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0010B39D
                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0010B3EA
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                  • String ID:
                                                                  • API String ID: 1682464887-0
                                                                  • Opcode ID: 3847d174bfbd906c36092731d5383ba4c9f0b31b20dfefc0b841ed8170c645a2
                                                                  • Instruction ID: 2666c3a5c8050af1ea03e9b95241b178d06548e3dae76b9c50600c0617460710
                                                                  • Opcode Fuzzy Hash: 3847d174bfbd906c36092731d5383ba4c9f0b31b20dfefc0b841ed8170c645a2
                                                                  • Instruction Fuzzy Hash: 4E217135A00508EFCB00EFA5D881AEEBBB8FF49310F1480A9E905AB351DB359956CB51
                                                                  Function 000F87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000C0DB6: std::exception::exception.LIBCMT ref: 000C0DEC
                                                                    • Part of subcall function 000C0DB6: __CxxThrowException@8.LIBCMT ref: 000C0E01
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000F882B
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000F8858
                                                                  • GetLastError.KERNEL32 ref: 000F8865
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 1922334811-0
                                                                  • Opcode ID: b1e5951f9561125f5d64d2f4465ddacc6949d01389c27a4ad09a85b926fdaa2e
                                                                  • Instruction ID: aa2d7bfa52939b1e2e918df40b58ab953f4ec8baf7631dae7529633034ac0139
                                                                  • Opcode Fuzzy Hash: b1e5951f9561125f5d64d2f4465ddacc6949d01389c27a4ad09a85b926fdaa2e
                                                                  • Instruction Fuzzy Hash: 941160B1414205AFD728DF54DC85D6BB7FDEB44750B10852EF45697641DE30AC42CB60
                                                                  Function 000F874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 000F8774
                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000F878B
                                                                  • FreeSid.ADVAPI32(?), ref: 000F879B
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                  • String ID:
                                                                  • API String ID: 3429775523-0
                                                                  • Opcode ID: 71b84890bf0aa180825bff28fa1da21bce211eb9f63beb81bbf8ce94c27bd6fd
                                                                  • Instruction ID: 4a917b7c1154f715a3d05c7ef1355a186421682f409134e2198f31b761957107
                                                                  • Opcode Fuzzy Hash: 71b84890bf0aa180825bff28fa1da21bce211eb9f63beb81bbf8ce94c27bd6fd
                                                                  • Instruction Fuzzy Hash: 62F08735A0030CBFDB00DFE09C89AAEBBB8EF08200F1044A8AA01E2581E6306A558B14
                                                                  Function 000A16DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                    • Part of subcall function 000A25DB: GetWindowLongW.USER32(?,000000EB), ref: 000A25EC
                                                                  • GetParent.USER32(?), ref: 000DB7BA
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,000A19B3,?,?,?,00000006,?), ref: 000DB834
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow$DialogNtdllParentProc_
                                                                  • String ID:
                                                                  • API String ID: 314495775-0
                                                                  • Opcode ID: 84814f811bfea9cc08ba8d9e571716c774bcd58655433ec0c4e1e7f9d5105fec
                                                                  • Instruction ID: f82707e118be43040970eab7c69a1920ce9a6f5a475c7eb0f893b5a1e1bcdfb9
                                                                  • Opcode Fuzzy Hash: 84814f811bfea9cc08ba8d9e571716c774bcd58655433ec0c4e1e7f9d5105fec
                                                                  • Instruction Fuzzy Hash: 77218D34209604AFCB608F68C9849ED3BE7AF4A320F584265F5655B3A2CB319D52EB60
                                                                  Function 0010C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0010C6FB
                                                                  • FindClose.KERNEL32(00000000), ref: 0010C72B
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Find$CloseFileFirst
                                                                  • String ID:
                                                                  • API String ID: 2295610775-0
                                                                  • Opcode ID: d281fcd31415dc5d4469dd2affffe5ae5c0ee2cb4417efa529b103b95daa2f11
                                                                  • Instruction ID: 42a1b917df81a09edcd566896d533cd99c8a0763b1aa47fd76f094eac01b8078
                                                                  • Opcode Fuzzy Hash: d281fcd31415dc5d4469dd2affffe5ae5c0ee2cb4417efa529b103b95daa2f11
                                                                  • Instruction Fuzzy Hash: 4E118E726006049FDB10DF29C845A6AF7E9FF85320F00861DF9A997291DB74A801CF91
                                                                  Function 0012C57D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                  • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,000DB93A,?,?,?), ref: 0012C5F1
                                                                    • Part of subcall function 000A25DB: GetWindowLongW.USER32(?,000000EB), ref: 000A25EC
                                                                  • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0012C5D7
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow$DialogMessageNtdllProc_Send
                                                                  • String ID:
                                                                  • API String ID: 1273190321-0
                                                                  • Opcode ID: 5fa2100f9c1e30a4fc23fd5d2a53f2375d4d2dda340b6405654d9e25f4fe8463
                                                                  • Instruction ID: 82925bc36a2e5828a50bcda247a69eefb41655ea09b090a07fa61596ff1ed811
                                                                  • Opcode Fuzzy Hash: 5fa2100f9c1e30a4fc23fd5d2a53f2375d4d2dda340b6405654d9e25f4fe8463
                                                                  • Instruction Fuzzy Hash: E101D831300614ABCB255F18DC44E6E3BB7FF86360F144128FA411B6E1CB71A862DBD0
                                                                  Function 0012C93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ClientToScreen.USER32(?,?), ref: 0012C961
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,000DBA16,?,?,?,?,?), ref: 0012C98A
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ClientDialogNtdllProc_Screen
                                                                  • String ID:
                                                                  • API String ID: 3420055661-0
                                                                  • Opcode ID: eb1c7bc1ecc22b5294342f0f3b76f58198b60fb38487fcf721d69565e0ee63fb
                                                                  • Instruction ID: 0f156c6fdf5375de45ddd900335e71fb7c695ef3b87b146daa0f0fff0d02cc65
                                                                  • Opcode Fuzzy Hash: eb1c7bc1ecc22b5294342f0f3b76f58198b60fb38487fcf721d69565e0ee63fb
                                                                  • Instruction Fuzzy Hash: 2BF0307240011CFFDF149F45DC09DAE7BB9FB44311F00416AF90552561D3716AA5DBA4
                                                                  Function 0010A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00119468,?,0012FB84,?), ref: 0010A097
                                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00119468,?,0012FB84,?), ref: 0010A0A9
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFormatLastMessage
                                                                  • String ID:
                                                                  • API String ID: 3479602957-0
                                                                  • Opcode ID: d4d37b5042e0304680ec22ce0aed8ced3b2aa20131ab6730324313c431c9f149
                                                                  • Instruction ID: bdc0dc247c53af7fd31ab49784b4aa22d4de382dc5b66155fce13b6495627ba9
                                                                  • Opcode Fuzzy Hash: d4d37b5042e0304680ec22ce0aed8ced3b2aa20131ab6730324313c431c9f149
                                                                  • Instruction Fuzzy Hash: 0BF0823510532DBBDB219FA4CC48FEA776CFF09761F00826AF909D6181DB709951CBA1
                                                                  Function 0012CA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0012CA84
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,000DB995,?,?,?,?), ref: 0012CAB2
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: DialogLongNtdllProc_Window
                                                                  • String ID:
                                                                  • API String ID: 2065330234-0
                                                                  • Opcode ID: 4dc93e69a54435e574bcaf389ee9a26c97616e67ef9a9dbb381a52fb839fc750
                                                                  • Instruction ID: 675854e8af251432d5a1d7195b78b2c6e81cb62f8c2c09627d51d1270a1421a6
                                                                  • Opcode Fuzzy Hash: 4dc93e69a54435e574bcaf389ee9a26c97616e67ef9a9dbb381a52fb839fc750
                                                                  • Instruction Fuzzy Hash: 3FE08670100258BFEB249F1DEC0AFBE3B64EB04751F408529F956DA1E1D77098A1D7A0
                                                                  Function 000F81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000F8309), ref: 000F81E0
                                                                  • CloseHandle.KERNEL32(?,?,000F8309), ref: 000F81F2
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                  • String ID:
                                                                  • API String ID: 81990902-0
                                                                  • Opcode ID: 7a1567a142da7a57a4aceeea6deff531d1c92d322edb61d3b0f1e620738a35e0
                                                                  • Instruction ID: 40b45cbec82e083f8eccd95b566506588d4aa01ebf4076e3eaea7cd1af2801ca
                                                                  • Opcode Fuzzy Hash: 7a1567a142da7a57a4aceeea6deff531d1c92d322edb61d3b0f1e620738a35e0
                                                                  • Instruction Fuzzy Hash: 54E0BF71010510EEE7252B60EC09EB777EEEB04310B14892DB955C4871DB616CA2DB10
                                                                  Function 000CA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,00134178,000C8D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 000CA15A
                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 000CA163
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: 09c53ce8244f9851f3ebc410f9e7a298fac6fc12438f8b146647062e039faecf
                                                                  • Instruction ID: 539286daa2931981b77e3187fdbeee35fbb815963bb2fd5f7aab3b5d1bfcf05f
                                                                  • Opcode Fuzzy Hash: 09c53ce8244f9851f3ebc410f9e7a298fac6fc12438f8b146647062e039faecf
                                                                  • Instruction Fuzzy Hash: E3B09231054208FBCA106B91EC09B883F78FB44AA2F404034F60D84860CB6254A3CA91
                                                                  Function 000CF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 894644d06617243525ca60abfbe0adb4c6169343bb577e4226f9282e88ea3c57
                                                                  • Instruction ID: 06606186e2d4a6786112f03876bcccd3703c46df195638be5124c02dabbb23c6
                                                                  • Opcode Fuzzy Hash: 894644d06617243525ca60abfbe0adb4c6169343bb577e4226f9282e88ea3c57
                                                                  • Instruction Fuzzy Hash: CD321361D29F064DDB639634D83233AA299AFB73C4F15D73BE819B5DA9EB28C4C34101
                                                                  Function 000D242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f464c8f24513ee355db6628f7b617bf26d89feeb59fafadc4c104d1a2fb40881
                                                                  • Instruction ID: 54fa4fedd3d044c08b1f46860ec7bc1b0a4321093a07603250bd72a7dd402141
                                                                  • Opcode Fuzzy Hash: f464c8f24513ee355db6628f7b617bf26d89feeb59fafadc4c104d1a2fb40881
                                                                  • Instruction Fuzzy Hash: 98B1DE21E2AF414DD22396398835336BA5CAFBB2C5F91D71BFC6674D62EB2285C34141
                                                                  Function 00108889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __time64.LIBCMT ref: 0010889B
                                                                    • Part of subcall function 000C520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00108F6E,00000000,?,?,?,?,0010911F,00000000,?), ref: 000C5213
                                                                    • Part of subcall function 000C520A: __aulldiv.LIBCMT ref: 000C5233
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                                  • String ID:
                                                                  • API String ID: 2893107130-0
                                                                  • Opcode ID: c6ecb052af9ad8bf240a57d3cad7689426f1611f928e4a50989ab2ec7a33f1b9
                                                                  • Instruction ID: 0d781f6e770b34f8e128c05ab0eb3f430f0fc3d4d9e4bca91e66381a8de4e525
                                                                  • Opcode Fuzzy Hash: c6ecb052af9ad8bf240a57d3cad7689426f1611f928e4a50989ab2ec7a33f1b9
                                                                  • Instruction Fuzzy Hash: 7521AF326256108BC729CF29D841A52B3E1EBA5311B688E6DD1F6CB2C0CBB4B945CB94
                                                                  Function 0012D78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 0012D838
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: DialogLongNtdllProc_Window
                                                                  • String ID:
                                                                  • API String ID: 2065330234-0
                                                                  • Opcode ID: 0e75330fadd6cb9a6a4d3b0ec296a991a1d89473fb6b028f386126b08beff823
                                                                  • Instruction ID: dfb0da000004b4a93cd4e4bf3f3d275f65a8f4e5a67e774496bb7bc2e4e8b124
                                                                  • Opcode Fuzzy Hash: 0e75330fadd6cb9a6a4d3b0ec296a991a1d89473fb6b028f386126b08beff823
                                                                  • Instruction Fuzzy Hash: 6D11E335204275BFEB295B2CFD06FBA3715DB42720F604324F9225A9E2CB64AD3093A4
                                                                  Function 0012D3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A25DB: GetWindowLongW.USER32(?,000000EB), ref: 000A25EC
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,000DB952,?,?,?,?,00000000,?), ref: 0012D432
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: DialogLongNtdllProc_Window
                                                                  • String ID:
                                                                  • API String ID: 2065330234-0
                                                                  • Opcode ID: a4382e53a2d7956cfa9a9099387516f8c12d8bc0c6961c06622765420a201016
                                                                  • Instruction ID: b9a8974e90a2b2d490963c53a0766a9c84854d7f46ad46b5e3451563ae21d9e6
                                                                  • Opcode Fuzzy Hash: a4382e53a2d7956cfa9a9099387516f8c12d8bc0c6961c06622765420a201016
                                                                  • Instruction Fuzzy Hash: 5301D831600564AFDB18EF29F849AF93B52EF46321F444125F9565B591C331BC7297A0
                                                                  Function 0012BC5D Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A25DB: GetWindowLongW.USER32(?,000000EB), ref: 000A25EC
                                                                  • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 0012BCA3
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CallLongProc
                                                                  • String ID:
                                                                  • API String ID: 4084987330-0
                                                                  • Opcode ID: 338a7ac4ccae706667a5b1de9949863a9d66976f4a0837b26f366bbbcfde6efd
                                                                  • Instruction ID: 4fc62aa0f642058481e9451cd9fc479a26417b2793edb87b61c884d97654c292
                                                                  • Opcode Fuzzy Hash: 338a7ac4ccae706667a5b1de9949863a9d66976f4a0837b26f366bbbcfde6efd
                                                                  • Instruction Fuzzy Hash: 52F04F31104518FFCF159F54ED80CB93BAAEB48360F048124F9114A671CB32ACB1EB90
                                                                  Function 000A189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,000A1B04,?,?,?,?,?), ref: 000A18E2
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: DialogLongNtdllProc_Window
                                                                  • String ID:
                                                                  • API String ID: 2065330234-0
                                                                  • Opcode ID: 806540dcb0f6ab0007e5591810d779ff0357f53a31384a1b2c7fc8f02dfe50d2
                                                                  • Instruction ID: d9a8f8293bba60d113dbfad6f687a03313b05b90e0a2a73a6fe73e71f3fec52c
                                                                  • Opcode Fuzzy Hash: 806540dcb0f6ab0007e5591810d779ff0357f53a31384a1b2c7fc8f02dfe50d2
                                                                  • Instruction Fuzzy Hash: 7FF0E231200215EFCB18DF49CC509BA37E2FB01350F904228F9524B6E1CB75DCA0DBA0
                                                                  Function 0012C8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0012C8FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: DialogNtdllProc_
                                                                  • String ID:
                                                                  • API String ID: 3239928679-0
                                                                  • Opcode ID: 9acc48c84f3dc56c8a52c7047de2721117dc0278d8199c8ef19363e2a06d8072
                                                                  • Instruction ID: 1731a53a747543855ef60a11022726a60a777ba74ec86b53ab3a8af2dc732a2d
                                                                  • Opcode Fuzzy Hash: 9acc48c84f3dc56c8a52c7047de2721117dc0278d8199c8ef19363e2a06d8072
                                                                  • Instruction Fuzzy Hash: 02F06D31600255BFDB21DF58DD05FC63BA5EB09320F448018FA11672E2CBB07870DBA0
                                                                  Function 00104C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00104C4A
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: mouse_event
                                                                  • String ID:
                                                                  • API String ID: 2434400541-0
                                                                  • Opcode ID: 1c0acd617303be076d22b7a6e3181422a300ae09bdcb857731609c6a256985e7
                                                                  • Instruction ID: 778efa1e14abdd85cc9034b2c67e60a03f9dd6333767744475a7a834fcc435c2
                                                                  • Opcode Fuzzy Hash: 1c0acd617303be076d22b7a6e3181422a300ae09bdcb857731609c6a256985e7
                                                                  • Instruction Fuzzy Hash: A6D05EF51652093BFE2C07209F8FF7A1108E380782FD1818973818A0C1EEC49C415030
                                                                  Function 000F87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,000F8389), ref: 000F87D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: LogonUser
                                                                  • String ID:
                                                                  • API String ID: 1244722697-0
                                                                  • Opcode ID: f6bb94e645288441d946848c008bf250f33dfaf9ab9f721fa06e06de7f8c4814
                                                                  • Instruction ID: c18100f5a29489a876633678cd6ca5a6c2a1161ec1717a8ccc306b9613ce20e0
                                                                  • Opcode Fuzzy Hash: f6bb94e645288441d946848c008bf250f33dfaf9ab9f721fa06e06de7f8c4814
                                                                  • Instruction Fuzzy Hash: 9ED05E3226050EBBEF018EA4ED05EAE3B6AEB04B01F408121FE15D50A1C775D836AB60
                                                                  Function 0012C909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,000DB9BC,?,?,?,?,?,?), ref: 0012C934
                                                                    • Part of subcall function 0012B635: _memset.LIBCMT ref: 0012B644
                                                                    • Part of subcall function 0012B635: _memset.LIBCMT ref: 0012B653
                                                                    • Part of subcall function 0012B635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00166F20,00166F64), ref: 0012B682
                                                                    • Part of subcall function 0012B635: CloseHandle.KERNEL32 ref: 0012B694
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                                                  • String ID:
                                                                  • API String ID: 2364484715-0
                                                                  • Opcode ID: de165473c388887bb9008014b644e93041ce0a743de950c1fb6b88b3877e15d2
                                                                  • Instruction ID: d73e0c7784c8b91b3b1cf63e4cea8d88a1c579a29c424ed74301df079ff44c00
                                                                  • Opcode Fuzzy Hash: de165473c388887bb9008014b644e93041ce0a743de950c1fb6b88b3877e15d2
                                                                  • Instruction Fuzzy Hash: A9E01231100218EFCB11AF44ED50E8937B6FB18305F018024FA05072B2C731A8B0EF90
                                                                  Function 000A167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,000A1AEE,?,?,?), ref: 000A16AB
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: DialogLongNtdllProc_Window
                                                                  • String ID:
                                                                  • API String ID: 2065330234-0
                                                                  • Opcode ID: 5e47c3d390bb77e65c5cec50e532da69289e6c87c441fc38f14d206ac9a65c10
                                                                  • Instruction ID: 061da5b549e1fadbf5bc386f0a5b5350ed9a45f79e62a898660f124db859d38d
                                                                  • Opcode Fuzzy Hash: 5e47c3d390bb77e65c5cec50e532da69289e6c87c441fc38f14d206ac9a65c10
                                                                  • Instruction Fuzzy Hash: FDE01235100208FBCF15AF94DD11EA43B2BFB59310F508428FA451B6A2CB73A572DB50
                                                                  Function 0012C860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtdllDialogWndProc_W.NTDLL ref: 0012C885
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: DialogNtdllProc_
                                                                  • String ID:
                                                                  • API String ID: 3239928679-0
                                                                  • Opcode ID: 6fdbafa2096eb4c5123e3a711913ac8a83ea72d6d0536d6ea2d02f6a5c5bdc39
                                                                  • Instruction ID: fad3de698de204b35f0c610fd62cd7d260baa45e722bff30b34aa347463f5374
                                                                  • Opcode Fuzzy Hash: 6fdbafa2096eb4c5123e3a711913ac8a83ea72d6d0536d6ea2d02f6a5c5bdc39
                                                                  • Instruction Fuzzy Hash: 13E0E235200209EFCB01DF88DC84E863BA5AB1D300F004064FA0547662C771A870EB61
                                                                  Function 0012C88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtdllDialogWndProc_W.NTDLL ref: 0012C8B4
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: DialogNtdllProc_
                                                                  • String ID:
                                                                  • API String ID: 3239928679-0
                                                                  • Opcode ID: adb8e318d99c8ecbbeeeab571fc781a4601ebaec361e2809d2462268ffba7848
                                                                  • Instruction ID: e6c309420c2fbdc82bc3c4ed3adbcabbe12602927f8d20d440b3b31a3ae4de5a
                                                                  • Opcode Fuzzy Hash: adb8e318d99c8ecbbeeeab571fc781a4601ebaec361e2809d2462268ffba7848
                                                                  • Instruction Fuzzy Hash: 53E0E235200209EFCB01DF88D944D863BA5AB1D300F004064FA0547662C771A8B0EBA1
                                                                  Function 000A16B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                    • Part of subcall function 000A201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000A20D3
                                                                    • Part of subcall function 000A201B: KillTimer.USER32(-00000001,?,?,?,?,000A16CB,00000000,?,?,000A1AE2,?,?), ref: 000A216E
                                                                  • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,000A1AE2,?,?), ref: 000A16D4
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                                                  • String ID:
                                                                  • API String ID: 2797419724-0
                                                                  • Opcode ID: 620d8cd6049cff0ee32f706d293e5d23d076158dbdedef6be41f72839ed2f0f8
                                                                  • Instruction ID: a3eaa268374a8e0a1268c13cfcaf8c43f9b2094e90c68c70b6fa789f83628bfa
                                                                  • Opcode Fuzzy Hash: 620d8cd6049cff0ee32f706d293e5d23d076158dbdedef6be41f72839ed2f0f8
                                                                  • Instruction Fuzzy Hash: 2DD01230140308B7DB202F94DE17F893A1A9B15750F808030BB04291D3CB716871A558
                                                                  Function 000CA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 000CA12A
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: 1c61813b8144847544b520543a7fd12e33e2775919bd966ce3e2992117090436
                                                                  • Instruction ID: 20679b9e9d9756be118a43633f1d84b71541986935c51ab28831a09cb6e9ca96
                                                                  • Opcode Fuzzy Hash: 1c61813b8144847544b520543a7fd12e33e2775919bd966ce3e2992117090436
                                                                  • Instruction Fuzzy Hash: 86A0113000020CFB8A002B82EC08888BFACEB002A0B008030F80C808228B32A8A28A80
                                                                  Function 000B8808 Relevance: .6, Instructions: 590COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b70fb4a8e2df2238ab5c76b6e3d5d0f0108cdd4e57007300d18b842ca80ecbab
                                                                  • Instruction ID: 7d07aeb7adc467f0bb94b678c91ef5b23ee4820a0192a46649c2602c72333a49
                                                                  • Opcode Fuzzy Hash: b70fb4a8e2df2238ab5c76b6e3d5d0f0108cdd4e57007300d18b842ca80ecbab
                                                                  • Instruction Fuzzy Hash: 8A22363050460ACBEF788A64C8947BD77E5FB41305F28C06BDB468B9B2DB74AD91E742
                                                                  Function 000C21C5 Relevance: .3, Instructions: 345COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                  • Instruction ID: 60e427fca34c55f6ef2a07ed9d7c811bdc8ac4e7ba2c41a8dc56239506f2e35d
                                                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                  • Instruction Fuzzy Hash: 32C193322050930AEBAD47398434A7EFAE15FA37B131A076DD8B3CB5D5EE20C975D660
                                                                  Function 000C25FA Relevance: .3, Instructions: 341COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                  • Instruction ID: bf8ccc6340ada184a719e41f1ee1d8f1c56e0077548bd694bcb9b557ed25036c
                                                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                  • Instruction Fuzzy Hash: 25C1D4322051930AEFAD47398474A7EBAE15FA37B131A036DD4B3DB4D5EE20C974D660
                                                                  Function 000C1978 Relevance: .3, Instructions: 323COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                  • Instruction ID: ba13be34c23054be7148481fa2eb852543c45b4815cad543e35bf314f19a8992
                                                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                  • Instruction Fuzzy Hash: 19C1A43220509309EFAD47398474ABEBAE15FA37B131A075DE4B3CB1C6EE20C975D660
                                                                  Function 000B8C74 Relevance: .1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a0b96d2019149ad045e2fab9f7ce87151d33c874815b8ca7d8b37dc5c546f561
                                                                  • Instruction ID: 9038406eb8812c421809f57402a0d7c6efdd8a64357c833ff4db4b6114bc33b6
                                                                  • Opcode Fuzzy Hash: a0b96d2019149ad045e2fab9f7ce87151d33c874815b8ca7d8b37dc5c546f561
                                                                  • Instruction Fuzzy Hash: F511E1385051088FCB619F7DC8905F5BBF9EFA6320B95C1ABD881CB1A2EA344D86C711
                                                                  Function 0012356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?,0012F910), ref: 00123627
                                                                  • IsWindowVisible.USER32(?), ref: 0012364B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpperVisibleWindow
                                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                  • API String ID: 4105515805-45149045
                                                                  • Opcode ID: dd24feb49264852c05e92512528aec4bfc58988004e4dc33ac2901bd93ca6983
                                                                  • Instruction ID: 953d6bbd996f2d732cd5186656654afbace0521e793345917b326c4d2b0a0c94
                                                                  • Opcode Fuzzy Hash: dd24feb49264852c05e92512528aec4bfc58988004e4dc33ac2901bd93ca6983
                                                                  • Instruction Fuzzy Hash: D0D19F30208311DBCB04EF10D551EAEB7A5AF95344F05446CF8A2AB3A3DB35EE5ACB52
                                                                  Function 0012A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetTextColor.GDI32(?,00000000), ref: 0012A630
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 0012A661
                                                                  • GetSysColor.USER32(0000000F), ref: 0012A66D
                                                                  • SetBkColor.GDI32(?,000000FF), ref: 0012A687
                                                                  • SelectObject.GDI32(?,00000000), ref: 0012A696
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0012A6C1
                                                                  • GetSysColor.USER32(00000010), ref: 0012A6C9
                                                                  • CreateSolidBrush.GDI32(00000000), ref: 0012A6D0
                                                                  • FrameRect.USER32(?,?,00000000), ref: 0012A6DF
                                                                  • DeleteObject.GDI32(00000000), ref: 0012A6E6
                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 0012A731
                                                                  • FillRect.USER32(?,?,00000000), ref: 0012A763
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0012A78E
                                                                    • Part of subcall function 0012A8CA: GetSysColor.USER32(00000012), ref: 0012A903
                                                                    • Part of subcall function 0012A8CA: SetTextColor.GDI32(?,?), ref: 0012A907
                                                                    • Part of subcall function 0012A8CA: GetSysColorBrush.USER32(0000000F), ref: 0012A91D
                                                                    • Part of subcall function 0012A8CA: GetSysColor.USER32(0000000F), ref: 0012A928
                                                                    • Part of subcall function 0012A8CA: GetSysColor.USER32(00000011), ref: 0012A945
                                                                    • Part of subcall function 0012A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0012A953
                                                                    • Part of subcall function 0012A8CA: SelectObject.GDI32(?,00000000), ref: 0012A964
                                                                    • Part of subcall function 0012A8CA: SetBkColor.GDI32(?,00000000), ref: 0012A96D
                                                                    • Part of subcall function 0012A8CA: SelectObject.GDI32(?,?), ref: 0012A97A
                                                                    • Part of subcall function 0012A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0012A999
                                                                    • Part of subcall function 0012A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0012A9B0
                                                                    • Part of subcall function 0012A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0012A9C5
                                                                    • Part of subcall function 0012A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0012A9ED
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                  • String ID:
                                                                  • API String ID: 3521893082-0
                                                                  • Opcode ID: 71742f74d4ef2f1421671dc44e325d0f885d4c1ca505a1b320f62add0ea916cb
                                                                  • Instruction ID: e2e3476aa5a84020ffe350524ae14c2af635c5e0b19a81b613fb9d8beb847eea
                                                                  • Opcode Fuzzy Hash: 71742f74d4ef2f1421671dc44e325d0f885d4c1ca505a1b320f62add0ea916cb
                                                                  • Instruction Fuzzy Hash: F8916B72408311BFC7209F64EC08E5B7BB9FF88321F500A2DF962961A1D771D9A6CB52
                                                                  Function 001174AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(00000000), ref: 001174DE
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0011759D
                                                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 001175DB
                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 001175ED
                                                                  • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00117633
                                                                  • GetClientRect.USER32(00000000,?), ref: 0011763F
                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00117683
                                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00117692
                                                                  • GetStockObject.GDI32(00000011), ref: 001176A2
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 001176A6
                                                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 001176B6
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001176BF
                                                                  • DeleteDC.GDI32(00000000), ref: 001176C8
                                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001176F4
                                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 0011770B
                                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00117746
                                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0011775A
                                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 0011776B
                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0011779B
                                                                  • GetStockObject.GDI32(00000011), ref: 001177A6
                                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001177B1
                                                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 001177BB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                  • API String ID: 2910397461-517079104
                                                                  • Opcode ID: 76e63e6d2b791e81f29fe22bc104e9eb2731f43c8e4fb85a3ce24b6064b4619b
                                                                  • Instruction ID: 9bd9d24d5519cd67d6f5aacc47e65b30aeb933ccb7753907b2f994a2b9ed628e
                                                                  • Opcode Fuzzy Hash: 76e63e6d2b791e81f29fe22bc104e9eb2731f43c8e4fb85a3ce24b6064b4619b
                                                                  • Instruction Fuzzy Hash: E2A18471A00615BFEB14DBA4DC4AFAF7B7AEB05710F004128FA14A76E1C7B0AD51CB60
                                                                  Function 0010AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0010AD1E
                                                                  • GetDriveTypeW.KERNEL32(?,0012FAC0,?,\\.\,0012F910), ref: 0010ADFB
                                                                  • SetErrorMode.KERNEL32(00000000,0012FAC0,?,\\.\,0012F910), ref: 0010AF59
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$DriveType
                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                  • API String ID: 2907320926-4222207086
                                                                  • Opcode ID: 177832ac8422150a3983585418ff20976ddba87f3e639fc2688dc4887a0c7fd7
                                                                  • Instruction ID: a6b898d564b5b313cecff11d9c09d449ec58886e10a5b3de5d909a8855d1154d
                                                                  • Opcode Fuzzy Hash: 177832ac8422150a3983585418ff20976ddba87f3e639fc2688dc4887a0c7fd7
                                                                  • Instruction Fuzzy Hash: 1B51B2B0644306EBCB14EB60C942CBD73A5EF09701BA08066E897BB2D1DFB09D45DB53
                                                                  Function 000A68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                  • API String ID: 1038674560-86951937
                                                                  • Opcode ID: 62441ea3cddd2df637f456a185e7bbe5444a27aa1c3c335d4ffc2374b82f677a
                                                                  • Instruction ID: 7456fc570bb30308fa2d236fc28756fdaae367797c5aec9ed62d86998dd01a4b
                                                                  • Opcode Fuzzy Hash: 62441ea3cddd2df637f456a185e7bbe5444a27aa1c3c335d4ffc2374b82f677a
                                                                  • Instruction Fuzzy Hash: 2D81EBB1644305AACB21BBA0EC47FFF37B8AF16700F084029F905AB197EB71DA55D661
                                                                  Function 000A2C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(?,?,?), ref: 000A2CA2
                                                                  • DeleteObject.GDI32(00000000), ref: 000A2CE8
                                                                  • DeleteObject.GDI32(00000000), ref: 000A2CF3
                                                                  • DestroyCursor.USER32(00000000), ref: 000A2CFE
                                                                  • DestroyWindow.USER32(00000000,?,?,?), ref: 000A2D09
                                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 000DC43B
                                                                  • 6FCB0200.COMCTL32(?,000000FF,?), ref: 000DC474
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000DC89D
                                                                    • Part of subcall function 000A1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000A2036,?,00000000,?,?,?,?,000A16CB,00000000,?), ref: 000A1B9A
                                                                  • SendMessageW.USER32(?,00001053), ref: 000DC8DA
                                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000DC8F1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: DestroyMessageSendWindow$DeleteObject$B0200CursorInvalidateMoveRect
                                                                  • String ID: 0
                                                                  • API String ID: 3010530511-4108050209
                                                                  • Opcode ID: d1d82022bd0b0bb80cdece56b830cce90c19217a162e362445b97c4f4beb094b
                                                                  • Instruction ID: 6ccc12c06790ff6834b26b6430a0ca49e9fb23113a13ba3cde1057e54678f9ee
                                                                  • Opcode Fuzzy Hash: d1d82022bd0b0bb80cdece56b830cce90c19217a162e362445b97c4f4beb094b
                                                                  • Instruction Fuzzy Hash: 7D125C30604602AFEB658F28C884FA9B7E5BF45310F54457AF495CB662CB31E892DBA1
                                                                  Function 00129A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00129AD2
                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00129B8B
                                                                  • SendMessageW.USER32(?,00001102,00000002,?), ref: 00129BA7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window
                                                                  • String ID: 0
                                                                  • API String ID: 2326795674-4108050209
                                                                  • Opcode ID: 955c259e31a7094110de7a553448b2e2ede6d25a73fd322e9e691d76502dfb4e
                                                                  • Instruction ID: 213cff6e459b1c8d25e429476d5d5da3a5f4055e8e16efd62c7f104db359642d
                                                                  • Opcode Fuzzy Hash: 955c259e31a7094110de7a553448b2e2ede6d25a73fd322e9e691d76502dfb4e
                                                                  • Instruction Fuzzy Hash: BD020270104321AFD725CF28ED48BAABBE5FF49310F04852CF999D62A1C734D9A5CB52
                                                                  Function 0012A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(00000012), ref: 0012A903
                                                                  • SetTextColor.GDI32(?,?), ref: 0012A907
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 0012A91D
                                                                  • GetSysColor.USER32(0000000F), ref: 0012A928
                                                                  • CreateSolidBrush.GDI32(?), ref: 0012A92D
                                                                  • GetSysColor.USER32(00000011), ref: 0012A945
                                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0012A953
                                                                  • SelectObject.GDI32(?,00000000), ref: 0012A964
                                                                  • SetBkColor.GDI32(?,00000000), ref: 0012A96D
                                                                  • SelectObject.GDI32(?,?), ref: 0012A97A
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0012A999
                                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0012A9B0
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0012A9C5
                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0012A9ED
                                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0012AA14
                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 0012AA32
                                                                  • DrawFocusRect.USER32(?,?), ref: 0012AA3D
                                                                  • GetSysColor.USER32(00000011), ref: 0012AA4B
                                                                  • SetTextColor.GDI32(?,00000000), ref: 0012AA53
                                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0012AA67
                                                                  • SelectObject.GDI32(?,0012A5FA), ref: 0012AA7E
                                                                  • DeleteObject.GDI32(?), ref: 0012AA89
                                                                  • SelectObject.GDI32(?,?), ref: 0012AA8F
                                                                  • DeleteObject.GDI32(?), ref: 0012AA94
                                                                  • SetTextColor.GDI32(?,?), ref: 0012AA9A
                                                                  • SetBkColor.GDI32(?,?), ref: 0012AAA4
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                  • String ID:
                                                                  • API String ID: 1996641542-0
                                                                  • Opcode ID: c95fd7749cc879dc68c3fd7f816d913bd68a169a1525814c002309e36052f332
                                                                  • Instruction ID: 43d03b29df357984cceb55e4686f28223a3fd51c3f141045deecf81f6798f7e2
                                                                  • Opcode Fuzzy Hash: c95fd7749cc879dc68c3fd7f816d913bd68a169a1525814c002309e36052f332
                                                                  • Instruction Fuzzy Hash: 6B513E71900218FFDF119FA4DC48EAE7B79EF08320F114129F911AB2A1D77599A2DF90
                                                                  Function 001289D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00128AC1
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00128AD2
                                                                  • CharNextW.USER32(0000014E), ref: 00128B01
                                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00128B42
                                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00128B58
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00128B69
                                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00128B86
                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00128BD8
                                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00128BEE
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00128C1F
                                                                  • _memset.LIBCMT ref: 00128C44
                                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00128C8D
                                                                  • _memset.LIBCMT ref: 00128CEC
                                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00128D16
                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00128D6E
                                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 00128E1B
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00128E3D
                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00128E87
                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00128EB4
                                                                  • DrawMenuBar.USER32(?), ref: 00128EC3
                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00128EEB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                  • String ID: 0
                                                                  • API String ID: 1073566785-4108050209
                                                                  • Opcode ID: 6596f1db3f35bc2f02449c95a06cf448e621f2b47eca607277e35a13bb4294b1
                                                                  • Instruction ID: 73c223538c3b99f00d279494f24e1090eb3d246464f652cf7d542b7b18d7afa3
                                                                  • Opcode Fuzzy Hash: 6596f1db3f35bc2f02449c95a06cf448e621f2b47eca607277e35a13bb4294b1
                                                                  • Instruction Fuzzy Hash: D7E17170901228AFDF209F64DC84EEE7B79EF05710F10815AF915AB291DF709AA6DF60
                                                                  Function 0012488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 001249CA
                                                                  • GetDesktopWindow.USER32 ref: 001249DF
                                                                  • GetWindowRect.USER32(00000000), ref: 001249E6
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00124A48
                                                                  • DestroyWindow.USER32(?), ref: 00124A74
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00124A9D
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00124ABB
                                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00124AE1
                                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 00124AF6
                                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00124B09
                                                                  • IsWindowVisible.USER32(?), ref: 00124B29
                                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00124B44
                                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00124B58
                                                                  • GetWindowRect.USER32(?,?), ref: 00124B70
                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00124B96
                                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00124BB0
                                                                  • CopyRect.USER32(?,?), ref: 00124BC7
                                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00124C32
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                  • String ID: ($0$tooltips_class32
                                                                  • API String ID: 698492251-4156429822
                                                                  • Opcode ID: 557c3ad461d27e16ad1f52f137c50abf09956c1408a270e9dd9528d91bdff076
                                                                  • Instruction ID: 36c5f422a495e10f4b97f3170e36950e067b4f4f9e5e2efa271c0d62ea22eba5
                                                                  • Opcode Fuzzy Hash: 557c3ad461d27e16ad1f52f137c50abf09956c1408a270e9dd9528d91bdff076
                                                                  • Instruction Fuzzy Hash: 14B1AA70604350AFDB14DF64D848B6ABBE4FF89310F00892CF99A9B2A1D770EC55CB96
                                                                  Function 000A27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000A28BC
                                                                  • GetSystemMetrics.USER32(00000007), ref: 000A28C4
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000A28EF
                                                                  • GetSystemMetrics.USER32(00000008), ref: 000A28F7
                                                                  • GetSystemMetrics.USER32(00000004), ref: 000A291C
                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000A2939
                                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000A2949
                                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000A297C
                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000A2990
                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 000A29AE
                                                                  • GetStockObject.GDI32(00000011), ref: 000A29CA
                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 000A29D5
                                                                    • Part of subcall function 000A2344: GetCursorPos.USER32(?), ref: 000A2357
                                                                    • Part of subcall function 000A2344: ScreenToClient.USER32(001657B0,?), ref: 000A2374
                                                                    • Part of subcall function 000A2344: GetAsyncKeyState.USER32(00000001), ref: 000A2399
                                                                    • Part of subcall function 000A2344: GetAsyncKeyState.USER32(00000002), ref: 000A23A7
                                                                  • SetTimer.USER32(00000000,00000000,00000028,000A1256), ref: 000A29FC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                  • String ID: AutoIt v3 GUI
                                                                  • API String ID: 1458621304-248962490
                                                                  • Opcode ID: 5a79b073dccaed1e847ccb86e6c77eee0c1d3cacb4770debc0c713cfc0b8cf3b
                                                                  • Instruction ID: 6ee010205c04bfd8856bb293c24d9b4a13a8ec1c8deb02a42f4d9b5cbe15efa7
                                                                  • Opcode Fuzzy Hash: 5a79b073dccaed1e847ccb86e6c77eee0c1d3cacb4770debc0c713cfc0b8cf3b
                                                                  • Instruction Fuzzy Hash: C9B15C71A0020AEFDB24DFA8DD45BAE7BB5FB09311F104239FA15E76A0DB749851CB50
                                                                  Function 0010449A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscat$B1560_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                  • API String ID: 2719676056-1459072770
                                                                  • Opcode ID: 875c88b00fb9834a5413465bafbac335f58563ea792e92d8deece8bcb637a73c
                                                                  • Instruction ID: ff445a8042c571babb88234755e5edc1ef3e8d328312b63308538583b0062235
                                                                  • Opcode Fuzzy Hash: 875c88b00fb9834a5413465bafbac335f58563ea792e92d8deece8bcb637a73c
                                                                  • Instruction Fuzzy Hash: 3D41AF72A40200BBDB14AB649C47FFF77ACDF45710F04406EFA05A61C3EB75AA1296A9
                                                                  Function 000FA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 000FA47A
                                                                  • __swprintf.LIBCMT ref: 000FA51B
                                                                  • _wcscmp.LIBCMT ref: 000FA52E
                                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000FA583
                                                                  • _wcscmp.LIBCMT ref: 000FA5BF
                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 000FA5F6
                                                                  • GetDlgCtrlID.USER32(?), ref: 000FA648
                                                                  • GetWindowRect.USER32(?,?), ref: 000FA67E
                                                                  • GetParent.USER32(?), ref: 000FA69C
                                                                  • ScreenToClient.USER32(00000000), ref: 000FA6A3
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 000FA71D
                                                                  • _wcscmp.LIBCMT ref: 000FA731
                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 000FA757
                                                                  • _wcscmp.LIBCMT ref: 000FA76B
                                                                    • Part of subcall function 000C362C: _iswctype.LIBCMT ref: 000C3634
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                  • String ID: %s%u
                                                                  • API String ID: 3744389584-679674701
                                                                  • Opcode ID: a896912512070f8ae0392d08e8ef425144396091b6f83b049e68b4a8154bebe7
                                                                  • Instruction ID: b3e6ab80a528795f6c14662530ca6856c8382d8a2b51465eb91fe7951be5fd71
                                                                  • Opcode Fuzzy Hash: a896912512070f8ae0392d08e8ef425144396091b6f83b049e68b4a8154bebe7
                                                                  • Instruction Fuzzy Hash: 63A1BEB130470AABD714EF60C884FBAB7E8FF45314F008529EA9DC2591DB34E956DB92
                                                                  Function 000FAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 000FAF18
                                                                  • _wcscmp.LIBCMT ref: 000FAF29
                                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 000FAF51
                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 000FAF6E
                                                                  • _wcscmp.LIBCMT ref: 000FAF8C
                                                                  • _wcsstr.LIBCMT ref: 000FAF9D
                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 000FAFD5
                                                                  • _wcscmp.LIBCMT ref: 000FAFE5
                                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 000FB00C
                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 000FB055
                                                                  • _wcscmp.LIBCMT ref: 000FB065
                                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 000FB08D
                                                                  • GetWindowRect.USER32(00000004,?), ref: 000FB0F6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                  • String ID: @$ThumbnailClass
                                                                  • API String ID: 1788623398-1539354611
                                                                  • Opcode ID: f5701b5e92e15abe9241872757c5a475be49e0d4b3da3b6ecf48e4d68de16185
                                                                  • Instruction ID: 8ce968471b599967963991b7166da179c9d2486941742d68c9c4d2af16b68b1f
                                                                  • Opcode Fuzzy Hash: f5701b5e92e15abe9241872757c5a475be49e0d4b3da3b6ecf48e4d68de16185
                                                                  • Instruction Fuzzy Hash: AA81BF711082099FDB14DF50C881FBA7BE8FF45314F148469FE898A492DB34DE8ADB61
                                                                  Function 000FABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                  • API String ID: 1038674560-1810252412
                                                                  • Opcode ID: fc4d907db28e36829be4db4067d34f550e836a5be82100c60044c45dbfa89b12
                                                                  • Instruction ID: 8bddbd528f7cc7e93d18503f47a57304967d5e359326be6f01ab21f7c495a0aa
                                                                  • Opcode Fuzzy Hash: fc4d907db28e36829be4db4067d34f550e836a5be82100c60044c45dbfa89b12
                                                                  • Instruction Fuzzy Hash: 8F31B271A48209E6DA14EBA0EE43FFE77A4AB11712F244018B91A764D2EB516F089692
                                                                  Function 00114FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00115013
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 0011501E
                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00115029
                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00115034
                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 0011503F
                                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 0011504A
                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00115055
                                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00115060
                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 0011506B
                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00115076
                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00115081
                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 0011508C
                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00115097
                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 001150A2
                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 001150AD
                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 001150B8
                                                                  • GetCursorInfo.USER32(?), ref: 001150C8
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$Load$Info
                                                                  • String ID:
                                                                  • API String ID: 2577412497-0
                                                                  • Opcode ID: 287845cd556143aea1be6d442c90948587be05d70a53d61791b370fe59bd4280
                                                                  • Instruction ID: 2389b825f77e04fd0c612a890c776c31f0abb2de5a440766ee6a031e1e1b284e
                                                                  • Opcode Fuzzy Hash: 287845cd556143aea1be6d442c90948587be05d70a53d61791b370fe59bd4280
                                                                  • Instruction Fuzzy Hash: 3F3114B1D08319AADF109FB68C8999EBFE9FF08750F50453AA50CE7280DB7865418FA1
                                                                  Function 0012A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0012A259
                                                                  • DestroyWindow.USER32(?,?), ref: 0012A2D3
                                                                    • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0012A34D
                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0012A36F
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0012A382
                                                                  • DestroyWindow.USER32(00000000), ref: 0012A3A4
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000A0000,00000000), ref: 0012A3DB
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0012A3F4
                                                                  • GetDesktopWindow.USER32 ref: 0012A40D
                                                                  • GetWindowRect.USER32(00000000), ref: 0012A414
                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0012A42C
                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0012A444
                                                                    • Part of subcall function 000A25DB: GetWindowLongW.USER32(?,000000EB), ref: 000A25EC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                  • String ID: 0$tooltips_class32
                                                                  • API String ID: 1297703922-3619404913
                                                                  • Opcode ID: dd97495f4c5a43ed5cdad150b5566bb6f5065c0fae559dc41cf84e03e29c733c
                                                                  • Instruction ID: e77bf7342aae11859fe3a579ef33633dc6aaa4b43b8ce1b164c61c07c0102d1c
                                                                  • Opcode Fuzzy Hash: dd97495f4c5a43ed5cdad150b5566bb6f5065c0fae559dc41cf84e03e29c733c
                                                                  • Instruction Fuzzy Hash: 7071BC74140245AFD721DF28DC48FAA7BFAFB88700F48452CF985876A1C7B0E966CB52
                                                                  Function 00124392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?), ref: 00124424
                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0012446F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharMessageSendUpper
                                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                  • API String ID: 3974292440-4258414348
                                                                  • Opcode ID: f284b375613ddeff71f670c291be082fa1a2063c979b3c8cd032dcaa850202f8
                                                                  • Instruction ID: a4ba3643fbcc7556ecda599032bdff2cabf702c4b71fb8084010e24fd8d10542
                                                                  • Opcode Fuzzy Hash: f284b375613ddeff71f670c291be082fa1a2063c979b3c8cd032dcaa850202f8
                                                                  • Instruction Fuzzy Hash: 80916E702043119FCB04EF10C451AAEB7A1AF96750F05486CF8A66B7A3CB35ED59CB92
                                                                  Function 0012B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0012B8B4
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,001291C2), ref: 0012B910
                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0012B949
                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0012B98C
                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0012B9C3
                                                                  • FreeLibrary.KERNEL32(?), ref: 0012B9CF
                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0012B9DF
                                                                  • DestroyCursor.USER32(?), ref: 0012B9EE
                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0012BA0B
                                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0012BA17
                                                                    • Part of subcall function 000C2EFD: __wcsicmp_l.LIBCMT ref: 000C2F86
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                                                  • String ID: .dll$.exe$.icl
                                                                  • API String ID: 3907162815-1154884017
                                                                  • Opcode ID: 4bb3c9de79fd44b7e08b930182080fa1aad6306de032d165d672546677cccdf5
                                                                  • Instruction ID: 185a61b46cbf9b830fc00b198dfe17a30669e59a1876609e3de399a7022ab0b6
                                                                  • Opcode Fuzzy Hash: 4bb3c9de79fd44b7e08b930182080fa1aad6306de032d165d672546677cccdf5
                                                                  • Instruction Fuzzy Hash: 7161FFB1904229BAEF14DF64DC81FFE7BB8EB08710F104129FA15D61C1DB74A9A1DBA0
                                                                  Function 0010DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocalTime.KERNEL32(?), ref: 0010DCDC
                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0010DCEC
                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0010DCF8
                                                                  • __wsplitpath.LIBCMT ref: 0010DD56
                                                                  • _wcscat.LIBCMT ref: 0010DD6E
                                                                  • _wcscat.LIBCMT ref: 0010DD80
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0010DD95
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0010DDA9
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0010DDDB
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0010DDFC
                                                                  • _wcscpy.LIBCMT ref: 0010DE08
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0010DE47
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                  • String ID: *.*
                                                                  • API String ID: 3566783562-438819550
                                                                  • Opcode ID: 26c426d057b338d456420df8bd25f401943f745f66be82c24933eb2995f1e6ca
                                                                  • Instruction ID: c7bd7d352d135cae011112c0748f8cdec1aa27add8e5eb2d8b2ff821cf2bd5a1
                                                                  • Opcode Fuzzy Hash: 26c426d057b338d456420df8bd25f401943f745f66be82c24933eb2995f1e6ca
                                                                  • Instruction Fuzzy Hash: 316159725042059FDB10EFA0D845AAEB3E8FF89314F04492DF98987292EB75E945CB92
                                                                  Function 00109C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00109C7F
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                  • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00109CA0
                                                                  • __swprintf.LIBCMT ref: 00109CF9
                                                                  • __swprintf.LIBCMT ref: 00109D12
                                                                  • _wprintf.LIBCMT ref: 00109DB9
                                                                  • _wprintf.LIBCMT ref: 00109DD7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: LoadString__swprintf_wprintf$_memmove
                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                  • API String ID: 311963372-3080491070
                                                                  • Opcode ID: 6cecc23bf8dda0ff89e625724fdca4f8c0a3cb29c7b60b1069f078865548128d
                                                                  • Instruction ID: ffab24e38739dbcdb3b580af0d9e0388eba7c00589d946bba21f799558e2047f
                                                                  • Opcode Fuzzy Hash: 6cecc23bf8dda0ff89e625724fdca4f8c0a3cb29c7b60b1069f078865548128d
                                                                  • Instruction Fuzzy Hash: 7151BE7190060AAACF14EBE0DD56EEEB779EF05300F504069F509760A3EB712F99DB60
                                                                  Function 0010A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                                    • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                                  • CharLowerBuffW.USER32(?,?), ref: 0010A3CB
                                                                  • GetDriveTypeW.KERNEL32 ref: 0010A418
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0010A460
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0010A497
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0010A4C5
                                                                    • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                  • API String ID: 2698844021-4113822522
                                                                  • Opcode ID: a2c27d9dc58877f456de56c7ebf1748d7bd5d5f60c6fc454697051d03439e7db
                                                                  • Instruction ID: e5554c91ea38c17608a58b6df2463a2104b6a8236d59cf2d4e8347a93f0c3e32
                                                                  • Opcode Fuzzy Hash: a2c27d9dc58877f456de56c7ebf1748d7bd5d5f60c6fc454697051d03439e7db
                                                                  • Instruction Fuzzy Hash: 675150751143059FC700EF10C8819ABB3E4FF85718F44886DF899AB292DB71ED0ACB52
                                                                  Function 000FF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,000DE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 000FF8DF
                                                                  • LoadStringW.USER32(00000000,?,000DE029,00000001), ref: 000FF8E8
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                  • GetModuleHandleW.KERNEL32(00000000,00165310,?,00000FFF,?,?,000DE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 000FF90A
                                                                  • LoadStringW.USER32(00000000,?,000DE029,00000001), ref: 000FF90D
                                                                  • __swprintf.LIBCMT ref: 000FF95D
                                                                  • __swprintf.LIBCMT ref: 000FF96E
                                                                  • _wprintf.LIBCMT ref: 000FFA17
                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 000FFA2E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                  • API String ID: 984253442-2268648507
                                                                  • Opcode ID: 59d4998f3c45c06f29dd4ef6b34ad24483d3551e349569e9f63e8be63335ce8a
                                                                  • Instruction ID: 712b17380dcd327aeb209d5a187caab9a88dde111e0819f6e58d6673383644d2
                                                                  • Opcode Fuzzy Hash: 59d4998f3c45c06f29dd4ef6b34ad24483d3551e349569e9f63e8be63335ce8a
                                                                  • Instruction Fuzzy Hash: FB413D7280420DAACB14FBE0DD96EFEB778AF15311F504069B609B6093EB316F49CB61
                                                                  Function 0012BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00129207,?,?), ref: 0012BA56
                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00129207,?,?,00000000,?), ref: 0012BA6D
                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00129207,?,?,00000000,?), ref: 0012BA78
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00129207,?,?,00000000,?), ref: 0012BA85
                                                                  • GlobalLock.KERNEL32(00000000), ref: 0012BA8E
                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00129207,?,?,00000000,?), ref: 0012BA9D
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0012BAA6
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00129207,?,?,00000000,?), ref: 0012BAAD
                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0012BABE
                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00132CAC,?), ref: 0012BAD7
                                                                  • GlobalFree.KERNEL32(00000000), ref: 0012BAE7
                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0012BB0B
                                                                  • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0012BB36
                                                                  • DeleteObject.GDI32(00000000), ref: 0012BB5E
                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0012BB74
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                  • String ID:
                                                                  • API String ID: 3840717409-0
                                                                  • Opcode ID: 954f5e37d8614f0e5d8d140751b2447547713d771a314d459c3e80f7d743aa2e
                                                                  • Instruction ID: 4540c7613e88475eb3f81a10286301855cf25d8f96b1cd7597f4d5b6a9f3b6e8
                                                                  • Opcode Fuzzy Hash: 954f5e37d8614f0e5d8d140751b2447547713d771a314d459c3e80f7d743aa2e
                                                                  • Instruction Fuzzy Hash: E1411975600218FFDB219F65EC88EAABBB9FF89B11F104068F905D7260D7709D62DB60
                                                                  Function 000A6A8C Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 478COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000C0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,000A6B0C,?,00008000), ref: 000C0973
                                                                    • Part of subcall function 000A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A4743,?,?,000A37AE,?), ref: 000A4770
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000A6BAD
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 000A6CFA
                                                                    • Part of subcall function 000A586D: _wcscpy.LIBCMT ref: 000A58A5
                                                                    • Part of subcall function 000C363D: _iswctype.LIBCMT ref: 000C3645
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$/v$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                  • API String ID: 537147316-4266335620
                                                                  • Opcode ID: 315232760d4a684c2fc7db39c1676fd18effac0724b1d94487d93cc9c1a0397c
                                                                  • Instruction ID: 337f6a65c6d8ede5caa82822476ff35c6c84cede9496f814d663fa415a80d2b7
                                                                  • Opcode Fuzzy Hash: 315232760d4a684c2fc7db39c1676fd18effac0724b1d94487d93cc9c1a0397c
                                                                  • Instruction Fuzzy Hash: BA029D305083419FC724EF60C881AAFBBF5BF96354F14491EF49A9B2A2DB31D949CB52
                                                                  Function 0010D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __wsplitpath.LIBCMT ref: 0010DA10
                                                                  • _wcscat.LIBCMT ref: 0010DA28
                                                                  • _wcscat.LIBCMT ref: 0010DA3A
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0010DA4F
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0010DA63
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 0010DA7B
                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 0010DA95
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0010DAA7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                  • String ID: *.*
                                                                  • API String ID: 34673085-438819550
                                                                  • Opcode ID: 675c456e174b017cb2338d1e35c574501902b50aaf08a79633a00a54551fdca1
                                                                  • Instruction ID: b4f60a8d8025756e823ec91c276a70a428f7e5ec26038053120ae25694a189e5
                                                                  • Opcode Fuzzy Hash: 675c456e174b017cb2338d1e35c574501902b50aaf08a79633a00a54551fdca1
                                                                  • Instruction Fuzzy Hash: 688192716043419FCB24DFA4D841AAEB7E4BF89314F15882EF8C9C7291EBB0D945CB52
                                                                  Function 0011731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 0011738F
                                                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0011739B
                                                                  • CreateCompatibleDC.GDI32(?), ref: 001173A7
                                                                  • SelectObject.GDI32(00000000,?), ref: 001173B4
                                                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00117408
                                                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00117444
                                                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00117468
                                                                  • SelectObject.GDI32(00000006,?), ref: 00117470
                                                                  • DeleteObject.GDI32(?), ref: 00117479
                                                                  • DeleteDC.GDI32(00000006), ref: 00117480
                                                                  • ReleaseDC.USER32(00000000,?), ref: 0011748B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                  • String ID: (
                                                                  • API String ID: 2598888154-3887548279
                                                                  • Opcode ID: c1db7bae3470f4d49e2e2ba198eac308f53d8a150ea81a7eb3c67dd4f48490e3
                                                                  • Instruction ID: d6d0ac40154b46df30f3108fe9dafacf3fc1656b5086306cad7c682c388b21fa
                                                                  • Opcode Fuzzy Hash: c1db7bae3470f4d49e2e2ba198eac308f53d8a150ea81a7eb3c67dd4f48490e3
                                                                  • Instruction Fuzzy Hash: 53513875904209EFCB25CFA8CC84EAEBBB9FF48310F14852DF95A97251C731A981CB50
                                                                  Function 00102D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00102D50
                                                                  • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00102DDD
                                                                  • GetMenuItemCount.USER32(00165890), ref: 00102E66
                                                                  • DeleteMenu.USER32(00165890,00000005,00000000,000000F5,?,?), ref: 00102EF6
                                                                  • DeleteMenu.USER32(00165890,00000004,00000000), ref: 00102EFE
                                                                  • DeleteMenu.USER32(00165890,00000006,00000000), ref: 00102F06
                                                                  • DeleteMenu.USER32(00165890,00000003,00000000), ref: 00102F0E
                                                                  • GetMenuItemCount.USER32(00165890), ref: 00102F16
                                                                  • SetMenuItemInfoW.USER32(00165890,00000004,00000000,00000030), ref: 00102F4C
                                                                  • GetCursorPos.USER32(?), ref: 00102F56
                                                                  • SetForegroundWindow.USER32(00000000), ref: 00102F5F
                                                                  • TrackPopupMenuEx.USER32(00165890,00000000,?,00000000,00000000,00000000), ref: 00102F72
                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00102F7E
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                  • String ID:
                                                                  • API String ID: 3993528054-0
                                                                  • Opcode ID: 1d249204cabf6183c7c08de46d35fc009cfea22ee74eb5cafd69634c893440a8
                                                                  • Instruction ID: 061a1f6bfa98ff3151b7aef97e14a971347db33cc7efd164bb76b4091040e145
                                                                  • Opcode Fuzzy Hash: 1d249204cabf6183c7c08de46d35fc009cfea22ee74eb5cafd69634c893440a8
                                                                  • Instruction Fuzzy Hash: D071F370640216BEEB258F54DC8DFAABF64FF05764F20022AF655AA1E1C7F16C60DB90
                                                                  Function 00120E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011FDAD,?,?), ref: 00120E31
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper
                                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                  • API String ID: 3964851224-909552448
                                                                  • Opcode ID: 7fb58197d5e2596c41084125abefb9e2c87a4a0cdc85784f2d29550631213188
                                                                  • Instruction ID: e661cd11e6e3fd4d923f470549f0098b2de99be0f1203e8ee2c0f6f0fe2cd223
                                                                  • Opcode Fuzzy Hash: 7fb58197d5e2596c41084125abefb9e2c87a4a0cdc85784f2d29550631213188
                                                                  • Instruction Fuzzy Hash: 2B41793214426ACBCF15EF10EE65AEF3760AF19300F154518FC652B293DB349D6ACBA2
                                                                  Function 000FF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000DE2A0,00000010,?,Bad directive syntax error,0012F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 000FF7C2
                                                                  • LoadStringW.USER32(00000000,?,000DE2A0,00000010), ref: 000FF7C9
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                  • _wprintf.LIBCMT ref: 000FF7FC
                                                                  • __swprintf.LIBCMT ref: 000FF81E
                                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000FF88D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                  • API String ID: 1506413516-4153970271
                                                                  • Opcode ID: 887b359ee6feceb015368728a8f7a48a28db8295ec50e99167a1f4fbf9b28175
                                                                  • Instruction ID: 4123be66f87af716f1654935bc0e29e1c2d017594187643e80a4372c775db969
                                                                  • Opcode Fuzzy Hash: 887b359ee6feceb015368728a8f7a48a28db8295ec50e99167a1f4fbf9b28175
                                                                  • Instruction Fuzzy Hash: 12216D3290021EFBCF11EF90CC4AEFE7779BF18311F044469B5196A0A2EB719669DB50
                                                                  Function 001052C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                                    • Part of subcall function 000A7924: _memmove.LIBCMT ref: 000A79AD
                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00105330
                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00105346
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00105357
                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00105369
                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0010537A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: SendString$_memmove
                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                  • API String ID: 2279737902-1007645807
                                                                  • Opcode ID: 8313247da4366004a645298bd0fe5fdeb93ae1bf9cf7844e4216a3b1be91a87d
                                                                  • Instruction ID: f4331249e8898fcda2030241517d96a5de8826613066d87abb231d14012d0120
                                                                  • Opcode Fuzzy Hash: 8313247da4366004a645298bd0fe5fdeb93ae1bf9cf7844e4216a3b1be91a87d
                                                                  • Instruction Fuzzy Hash: 74119431A5012DB9D724B7A5CC4ADFF7B7CFB96B41F400429B815AA0D2DFA01D49C9B0
                                                                  Function 001046B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                  • String ID: 0.0.0.0
                                                                  • API String ID: 208665112-3771769585
                                                                  • Opcode ID: c1c14c774746fce1b35ba91b2d62f4f6374006053456f3a7c88c46ed8e07ebc8
                                                                  • Instruction ID: 4e53868eb56182d6f8b37a048c8b333e5cffd81cb2e1f083df5c3b365f8a53b4
                                                                  • Opcode Fuzzy Hash: c1c14c774746fce1b35ba91b2d62f4f6374006053456f3a7c88c46ed8e07ebc8
                                                                  • Instruction Fuzzy Hash: F711A571500114BBDB24AB74AC86FDE77BCEB51711F0401BEF58596092EFB19AC28A50
                                                                  Function 00104F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • timeGetTime.WINMM ref: 00104F7A
                                                                    • Part of subcall function 000C049F: timeGetTime.WINMM(?,7707B400,000B0E7B), ref: 000C04A3
                                                                  • Sleep.KERNEL32(0000000A), ref: 00104FA6
                                                                  • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00104FCA
                                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00104FEC
                                                                  • SetActiveWindow.USER32 ref: 0010500B
                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00105019
                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00105038
                                                                  • Sleep.KERNEL32(000000FA), ref: 00105043
                                                                  • IsWindow.USER32 ref: 0010504F
                                                                  • EndDialog.USER32(00000000), ref: 00105060
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                  • String ID: BUTTON
                                                                  • API String ID: 1194449130-3405671355
                                                                  • Opcode ID: ee6755c651abf27b0cc0badef8a1da2989dc4c383142f2557047b618b6f88489
                                                                  • Instruction ID: b94304b88facbfbbb58b7791d579cd34cb489f8e4b4d15b29cfa4fa9501792b8
                                                                  • Opcode Fuzzy Hash: ee6755c651abf27b0cc0badef8a1da2989dc4c383142f2557047b618b6f88489
                                                                  • Instruction Fuzzy Hash: DF2165B0204605FFE7205F20EC89E2A776AEB4978AF141038F542819F5DBE14DE68A71
                                                                  Function 0010D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                                    • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                                  • CoInitialize.OLE32(00000000), ref: 0010D5EA
                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0010D67D
                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 0010D691
                                                                  • CoCreateInstance.COMBASE(00132D7C,00000000,00000001,00158C1C,?), ref: 0010D6DD
                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0010D74C
                                                                  • CoTaskMemFree.COMBASE(?), ref: 0010D7A4
                                                                  • _memset.LIBCMT ref: 0010D7E1
                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 0010D81D
                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0010D840
                                                                  • CoTaskMemFree.COMBASE(00000000), ref: 0010D847
                                                                  • CoTaskMemFree.COMBASE(00000000), ref: 0010D87E
                                                                  • CoUninitialize.COMBASE ref: 0010D880
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                  • String ID:
                                                                  • API String ID: 1246142700-0
                                                                  • Opcode ID: ce7648011a7167893a13bb9e6e5bbd40fa663e359086793772d0e6664193f618
                                                                  • Instruction ID: fd62f07dcb02f694826d756319bf6050d918d79f586bdbe344556300785a6e60
                                                                  • Opcode Fuzzy Hash: ce7648011a7167893a13bb9e6e5bbd40fa663e359086793772d0e6664193f618
                                                                  • Instruction Fuzzy Hash: 86B11C75A00109AFDB14DFA4D884DAEBBB9FF49314F048469F909EB261DB70ED45CB50
                                                                  Function 000FC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,00000001), ref: 000FC283
                                                                  • GetWindowRect.USER32(00000000,?), ref: 000FC295
                                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 000FC2F3
                                                                  • GetDlgItem.USER32(?,00000002), ref: 000FC2FE
                                                                  • GetWindowRect.USER32(00000000,?), ref: 000FC310
                                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 000FC364
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 000FC372
                                                                  • GetWindowRect.USER32(00000000,?), ref: 000FC383
                                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 000FC3C6
                                                                  • GetDlgItem.USER32(?,000003EA), ref: 000FC3D4
                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000FC3F1
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 000FC3FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                  • String ID:
                                                                  • API String ID: 3096461208-0
                                                                  • Opcode ID: cc173e7b36e97399f70413ba6251eefc9b6311ccbdaf19c663a632e862c1791e
                                                                  • Instruction ID: 61679cca9c7cd3917ca6b5c10b1dc4c4c730610b5be3ca481a905b3ce08b4e4d
                                                                  • Opcode Fuzzy Hash: cc173e7b36e97399f70413ba6251eefc9b6311ccbdaf19c663a632e862c1791e
                                                                  • Instruction Fuzzy Hash: 17513F71B00209BBDB18CFA9DD8AEAEBBB6EB88710F14813DF615D6690D7709D418B10
                                                                  Function 000A21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A25DB: GetWindowLongW.USER32(?,000000EB), ref: 000A25EC
                                                                  • GetSysColor.USER32(0000000F), ref: 000A21D3
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ColorLongWindow
                                                                  • String ID:
                                                                  • API String ID: 259745315-0
                                                                  • Opcode ID: b6869ad6288826746515a60db0cc68d6abc16e5182fb6ff9865bb569cd19bb4e
                                                                  • Instruction ID: 042db7b04dcaf795e9ebaf6ebfc0a721bf73a761a5faa1d50354144e8de0cc91
                                                                  • Opcode Fuzzy Hash: b6869ad6288826746515a60db0cc68d6abc16e5182fb6ff9865bb569cd19bb4e
                                                                  • Instruction Fuzzy Hash: 6E417031100540FADB255F6CDC88BB93BA6EB47321F554279FE658A1E6C7318C92DB21
                                                                  Function 0010A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharLowerBuffW.USER32(?,?,0012F910), ref: 0010A90B
                                                                  • GetDriveTypeW.KERNEL32(00000061,001589A0,00000061), ref: 0010A9D5
                                                                  • _wcscpy.LIBCMT ref: 0010A9FF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                  • API String ID: 2820617543-1000479233
                                                                  • Opcode ID: ed0f6f5df9ed18686298a3833e40f5995748b262d2a394820121b8e1a08e3112
                                                                  • Instruction ID: 7b3c9e4c94c09c852851fde01dbc6e97f286096ec48ae2f64e3360189eb3209c
                                                                  • Opcode Fuzzy Hash: ed0f6f5df9ed18686298a3833e40f5995748b262d2a394820121b8e1a08e3112
                                                                  • Instruction Fuzzy Hash: EC51B031218301DBC704EF14C992AAFB7A5EF95708F91482DF8D56B2E2DB719909CB53
                                                                  Function 000A9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __i64tow__itow__swprintf
                                                                  • String ID: %.15g$0x%p$False$True
                                                                  • API String ID: 421087845-2263619337
                                                                  • Opcode ID: 4f07b8ac9910acd7e16008afee75d0570ea9cec3c6dec5c011a6723f355e4ab1
                                                                  • Instruction ID: ef0e35ae0e23e211e8d9dd6270bd28a4a363ca6a849a45f06a83406d0e39a46b
                                                                  • Opcode Fuzzy Hash: 4f07b8ac9910acd7e16008afee75d0570ea9cec3c6dec5c011a6723f355e4ab1
                                                                  • Instruction Fuzzy Hash: FF41A5716007069BDB249F74D842FBA73E8EF46300F20846EE54ADB296EE3599418B20
                                                                  Function 00127152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0012716A
                                                                  • CreateMenu.USER32 ref: 00127185
                                                                  • SetMenu.USER32(?,00000000), ref: 00127194
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00127221
                                                                  • IsMenu.USER32(?), ref: 00127237
                                                                  • CreatePopupMenu.USER32 ref: 00127241
                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0012726E
                                                                  • DrawMenuBar.USER32 ref: 00127276
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                  • String ID: 0$F
                                                                  • API String ID: 176399719-3044882817
                                                                  • Opcode ID: 02e93f889dc568de060812bcc5282c43e56a2ee61a2e1a1d32a8e866c1e825a9
                                                                  • Instruction ID: 94683301008c28e0a67e8f8bf5ef8a32a3502cd0f1433de52bc2c2be432bac1c
                                                                  • Opcode Fuzzy Hash: 02e93f889dc568de060812bcc5282c43e56a2ee61a2e1a1d32a8e866c1e825a9
                                                                  • Instruction Fuzzy Hash: 4F416A74A01219EFDB20DFA4E984E9A7BF9FF49350F144028F945A73A1D731A921CFA0
                                                                  Function 001274BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0012755E
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00127565
                                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00127578
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00127580
                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0012758B
                                                                  • DeleteDC.GDI32(00000000), ref: 00127594
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0012759E
                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 001275B2
                                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 001275BE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                  • String ID: static
                                                                  • API String ID: 2559357485-2160076837
                                                                  • Opcode ID: bc396b03013c1c7e3148ebd5c026db61c1cfa67e96ec34c093881fc64a91cbd5
                                                                  • Instruction ID: fc8fea71e338f6ce555630de288dacda4a34cc498184d57689330e26e479c091
                                                                  • Opcode Fuzzy Hash: bc396b03013c1c7e3148ebd5c026db61c1cfa67e96ec34c093881fc64a91cbd5
                                                                  • Instruction Fuzzy Hash: 1F315A72105225BBDF219F64EC49FEB7BB9EF09720F110228FA15960E0C731D862DBA4
                                                                  Function 000C6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 000C6E3E
                                                                    • Part of subcall function 000C8B28: __getptd_noexit.LIBCMT ref: 000C8B28
                                                                  • __gmtime64_s.LIBCMT ref: 000C6ED7
                                                                  • __gmtime64_s.LIBCMT ref: 000C6F0D
                                                                  • __gmtime64_s.LIBCMT ref: 000C6F2A
                                                                  • __allrem.LIBCMT ref: 000C6F80
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C6F9C
                                                                  • __allrem.LIBCMT ref: 000C6FB3
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C6FD1
                                                                  • __allrem.LIBCMT ref: 000C6FE8
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C7006
                                                                  • __invoke_watson.LIBCMT ref: 000C7077
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                  • String ID:
                                                                  • API String ID: 384356119-0
                                                                  • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                  • Instruction ID: 73e0c48f54f28f8f61d629fcd5394d9b3caf968e59f9f30ae3968025cc55f52f
                                                                  • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                  • Instruction Fuzzy Hash: 8571B376A00B17ABD724AF68DC41F9EB7E8AF04724F14823EF514D6282E771DD408B91
                                                                  Function 00102527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00102542
                                                                  • GetMenuItemInfoW.USER32(00165890,000000FF,00000000,00000030), ref: 001025A3
                                                                  • SetMenuItemInfoW.USER32(00165890,00000004,00000000,00000030), ref: 001025D9
                                                                  • Sleep.KERNEL32(000001F4), ref: 001025EB
                                                                  • GetMenuItemCount.USER32(?), ref: 0010262F
                                                                  • GetMenuItemID.USER32(?,00000000), ref: 0010264B
                                                                  • GetMenuItemID.USER32(?,-00000001), ref: 00102675
                                                                  • GetMenuItemID.USER32(?,?), ref: 001026BA
                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00102700
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00102714
                                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00102735
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                  • String ID:
                                                                  • API String ID: 4176008265-0
                                                                  • Opcode ID: 935ffa856b0bc9f6b8a817593c6f50dfab27b932e9a3b5c7e5d02b67294dc7b6
                                                                  • Instruction ID: fda630814fb1ae3bfbebf8e4a7087d88ca2c12c3be72a2d40b59c4b00ddbcfa4
                                                                  • Opcode Fuzzy Hash: 935ffa856b0bc9f6b8a817593c6f50dfab27b932e9a3b5c7e5d02b67294dc7b6
                                                                  • Instruction Fuzzy Hash: A6619F70900249EFDB21CF64CC8CEBE7BB9EB55304F140169F881A7291DBB2AD56DB21
                                                                  Function 00126F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00126FA5
                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00126FA8
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00126FCC
                                                                  • _memset.LIBCMT ref: 00126FDD
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00126FEF
                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00127067
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$LongWindow_memset
                                                                  • String ID:
                                                                  • API String ID: 830647256-0
                                                                  • Opcode ID: 1e819145b4b63f4d436c82ced363bcdd687d577eaea747960be432a0bb17bd45
                                                                  • Instruction ID: 405f9b4c18e218d18f16852522ef3e903ccf5e6a4df41383b1ae63909e7b5b41
                                                                  • Opcode Fuzzy Hash: 1e819145b4b63f4d436c82ced363bcdd687d577eaea747960be432a0bb17bd45
                                                                  • Instruction Fuzzy Hash: 17617971A00218AFDB11DFA4DC81EEE77B9EF09710F104169FA14AB2E1C771AD65DBA0
                                                                  Function 000F6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 000F6BBF
                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 000F6C18
                                                                  • VariantInit.OLEAUT32(?), ref: 000F6C2A
                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 000F6C4A
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 000F6C9D
                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 000F6CB1
                                                                  • VariantClear.OLEAUT32(?), ref: 000F6CC6
                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 000F6CD3
                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000F6CDC
                                                                  • VariantClear.OLEAUT32(?), ref: 000F6CEE
                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000F6CF9
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                  • String ID:
                                                                  • API String ID: 2706829360-0
                                                                  • Opcode ID: 1495625a2ded752bc7becf8ca481ea7aa2c04472b2dbad14ab80926a7307ee8f
                                                                  • Instruction ID: 06d8619a997e6847deb8d474df52c1a652ce27a42010c65191f8fe21fcc8f9f2
                                                                  • Opcode Fuzzy Hash: 1495625a2ded752bc7becf8ca481ea7aa2c04472b2dbad14ab80926a7307ee8f
                                                                  • Instruction Fuzzy Hash: 0F415435A0011DAFCF10EFA4D8449FEBBB9EF08350F008079E955D7661CB75AA46DBA0
                                                                  Function 00119113 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit$_memset
                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                                                                  • API String ID: 2862541840-1765764032
                                                                  • Opcode ID: 826c4db259d14f5c6d16e76ef0744b1af5137a8cf5b99a10c49697b25dfaa768
                                                                  • Instruction ID: 530eae100fdc97f0120d36d0e55317fa107ce20edfc3ce78d8783dd9932e62ea
                                                                  • Opcode Fuzzy Hash: 826c4db259d14f5c6d16e76ef0744b1af5137a8cf5b99a10c49697b25dfaa768
                                                                  • Instruction Fuzzy Hash: 61916071A00215ABDF28DFA5C858FEEB7B8FF45710F108569F525AB280D7709985CBA0
                                                                  Function 001183BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                                    • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                                  • CoInitialize.OLE32 ref: 00118403
                                                                  • CoUninitialize.COMBASE ref: 0011840E
                                                                  • CoCreateInstance.COMBASE(?,00000000,00000017,00132BEC,?), ref: 0011846E
                                                                  • IIDFromString.COMBASE(?,?), ref: 001184E1
                                                                  • VariantInit.OLEAUT32(?), ref: 0011857B
                                                                  • VariantClear.OLEAUT32(?), ref: 001185DC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                  • API String ID: 834269672-1287834457
                                                                  • Opcode ID: 3608f67b277ac87a2ec43afcf3a85bceaf73a300936c5ffa8ba983d233f122f7
                                                                  • Instruction ID: faf53d41f9a8663d1e3c49456099a44e225030b74b3c442a80c85a77a97b5e49
                                                                  • Opcode Fuzzy Hash: 3608f67b277ac87a2ec43afcf3a85bceaf73a300936c5ffa8ba983d233f122f7
                                                                  • Instruction Fuzzy Hash: EB61AB70608712AFC718DF54C848BAAB7E9EF49714F00842DF9819B691CB70ED89CB92
                                                                  Function 00115732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WSAStartup.WS2_32(00000101,?), ref: 00115793
                                                                  • inet_addr.WS2_32(?), ref: 001157D8
                                                                  • gethostbyname.WS2_32(?), ref: 001157E4
                                                                  • IcmpCreateFile.IPHLPAPI ref: 001157F2
                                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00115862
                                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00115878
                                                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 001158ED
                                                                  • WSACleanup.WS2_32 ref: 001158F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                  • String ID: Ping
                                                                  • API String ID: 1028309954-2246546115
                                                                  • Opcode ID: e9f42bcc587473c3efbb14b5e0decd2d6b133a403d9f406f9aa4dff8b22cec22
                                                                  • Instruction ID: ac65bb6a00d96319c02fa87a2f91c4474611e0951b35b6201f5db776c5263a86
                                                                  • Opcode Fuzzy Hash: e9f42bcc587473c3efbb14b5e0decd2d6b133a403d9f406f9aa4dff8b22cec22
                                                                  • Instruction Fuzzy Hash: 4C519E31600700EFD724AF65DC49BAAB7E5EF89710F044539F956EB2A1DB30E881DB52
                                                                  Function 000B6192 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • argument not compiled in 16 bit mode, xrefs: 000F0D77
                                                                  • internal error: missing capturing bracket, xrefs: 000F0D7F
                                                                  • ERCP, xrefs: 000B61B3
                                                                  • argument is not a compiled regular expression, xrefs: 000F0D87
                                                                  • failed to get memory, xrefs: 000B6326
                                                                  • internal error: opcode not recognized, xrefs: 000B631B
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$_memmove
                                                                  • String ID: ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
                                                                  • API String ID: 2532777613-264027815
                                                                  • Opcode ID: f62224648ede18abbf56cb35b45480b2ebdbc8ccef4f7c565eb5016bdca349c4
                                                                  • Instruction ID: 3ba67a45faecee9a96356f14e4213cbd30b8fa66b6e745e1f741fa6183c6a7f4
                                                                  • Opcode Fuzzy Hash: f62224648ede18abbf56cb35b45480b2ebdbc8ccef4f7c565eb5016bdca349c4
                                                                  • Instruction Fuzzy Hash: 7851BF71900709DBEB24CFA5C981BEAB7F4EF04704F20856EE94ADB251E779EA44CB40
                                                                  Function 0010B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0010B4D0
                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0010B546
                                                                  • GetLastError.KERNEL32 ref: 0010B550
                                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 0010B5BD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                  • API String ID: 4194297153-14809454
                                                                  • Opcode ID: aa1638da36f9d2ac6ebb2cd47e8d4d926aa03e9fe5282f94225c911cd5c20033
                                                                  • Instruction ID: 1bc8a5088af24540489a4a76a8cb1e44ced6f31ad53b44e97f5d6cf708786ebc
                                                                  • Opcode Fuzzy Hash: aa1638da36f9d2ac6ebb2cd47e8d4d926aa03e9fe5282f94225c911cd5c20033
                                                                  • Instruction Fuzzy Hash: E3319235A04209EFCB10DFA8CC95EAE77B4FF05311F1041A6E945EB2D2DBB19A46CB51
                                                                  Function 000F8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                    • Part of subcall function 000FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000FAABC
                                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 000F9014
                                                                  • GetDlgCtrlID.USER32 ref: 000F901F
                                                                  • GetParent.USER32 ref: 000F903B
                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 000F903E
                                                                  • GetDlgCtrlID.USER32(?), ref: 000F9047
                                                                  • GetParent.USER32(?), ref: 000F9063
                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 000F9066
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 1536045017-1403004172
                                                                  • Opcode ID: cc1ab08a096284a472d4e72c11b72e472b19d10a1602a7fc5be4c55036fdab33
                                                                  • Instruction ID: 2fc2accb62a435557a1c3c4329ae1e6a62a42b2ea6d0e459070ec29bc9edf6aa
                                                                  • Opcode Fuzzy Hash: cc1ab08a096284a472d4e72c11b72e472b19d10a1602a7fc5be4c55036fdab33
                                                                  • Instruction Fuzzy Hash: 3321D8B4A00108BFDF14ABA0CC85EFEB774EF49310F104129BA21976E2DF75585ADB21
                                                                  Function 000F907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                    • Part of subcall function 000FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000FAABC
                                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 000F90FD
                                                                  • GetDlgCtrlID.USER32 ref: 000F9108
                                                                  • GetParent.USER32 ref: 000F9124
                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 000F9127
                                                                  • GetDlgCtrlID.USER32(?), ref: 000F9130
                                                                  • GetParent.USER32(?), ref: 000F914C
                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 000F914F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 1536045017-1403004172
                                                                  • Opcode ID: 2b6b4144bac7c287f7db5382ea1f21a8d3c0577db4fd8c44c323df24ceb84a4e
                                                                  • Instruction ID: d7323e4bd3c4e751c9ba4024096e2f09f593a4f7591a298c024a4d08e9f677b8
                                                                  • Opcode Fuzzy Hash: 2b6b4144bac7c287f7db5382ea1f21a8d3c0577db4fd8c44c323df24ceb84a4e
                                                                  • Instruction Fuzzy Hash: 092198B4A00108BFDF11ABA4CC85FFEBBB4EF49300F104129BA55976A2DB75545AEB21
                                                                  Function 000F9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32 ref: 000F916F
                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 000F9184
                                                                  • _wcscmp.LIBCMT ref: 000F9196
                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000F9211
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                  • API String ID: 1704125052-3381328864
                                                                  • Opcode ID: 86ca2e330d229757bb1a253c807942d37216f813eca1cc955ef427c80b6a56e4
                                                                  • Instruction ID: 6b5e176061952633072dc125681e6d10e76c19fba40ec1fb389954526dc553aa
                                                                  • Opcode Fuzzy Hash: 86ca2e330d229757bb1a253c807942d37216f813eca1cc955ef427c80b6a56e4
                                                                  • Instruction Fuzzy Hash: CD11AB7A14830BB5EA212624EC07FFB779CDB15735F20002AFE10A5CE2EE5158556554
                                                                  Function 001188AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 001188D7
                                                                  • CoInitialize.OLE32(00000000), ref: 00118904
                                                                  • CoUninitialize.COMBASE ref: 0011890E
                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00118A0E
                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00118B3B
                                                                  • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00132C0C), ref: 00118B6F
                                                                  • CoGetObject.OLE32(?,00000000,00132C0C,?), ref: 00118B92
                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00118BA5
                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00118C25
                                                                  • VariantClear.OLEAUT32(?), ref: 00118C35
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                  • String ID:
                                                                  • API String ID: 2395222682-0
                                                                  • Opcode ID: 384a212549127558189f8bee56ba6ee7742c0b7e326fd94571e0b9affc89e44f
                                                                  • Instruction ID: fb4331b57e5d8f7955911eb2e3c557e45683b6d91275b0c32f166b310ab4b2c8
                                                                  • Opcode Fuzzy Hash: 384a212549127558189f8bee56ba6ee7742c0b7e326fd94571e0b9affc89e44f
                                                                  • Instruction Fuzzy Hash: B4C138B1608305AFC704DF64C8849ABB7E9FF89748F00892DF9899B251DB71ED46CB52
                                                                  Function 00107990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00107A6C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafeVartype
                                                                  • String ID:
                                                                  • API String ID: 1725837607-0
                                                                  • Opcode ID: 7d626f0e662828484d400ae910c964b23ab9b58a0c7a0f78b71cd906bd249ef0
                                                                  • Instruction ID: e7efdb5cb3527ee3900d5b23c5ffda68bb9e98d04019ed9394f6114df6f59d05
                                                                  • Opcode Fuzzy Hash: 7d626f0e662828484d400ae910c964b23ab9b58a0c7a0f78b71cd906bd249ef0
                                                                  • Instruction Fuzzy Hash: A1B18D71E0420A9FEB10DFA4C984BBEB7B4FF09321F254429E581E72C1D7B4A941CBA0
                                                                  Function 001011CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 001011F0
                                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00100268,?,00000001), ref: 00101204
                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0010120B
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00100268,?,00000001), ref: 0010121A
                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0010122C
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00100268,?,00000001), ref: 00101245
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00100268,?,00000001), ref: 00101257
                                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00100268,?,00000001), ref: 0010129C
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00100268,?,00000001), ref: 001012B1
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00100268,?,00000001), ref: 001012BC
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                  • String ID:
                                                                  • API String ID: 2156557900-0
                                                                  • Opcode ID: ea134eb4fdc1c367816d14aaefe02adfbf062e2e3c78bbdb3677e1e0e2b24d9b
                                                                  • Instruction ID: 2133c505efc9abc21fabe311c35fca68168006c265f8e2600d569d20d7e727a1
                                                                  • Opcode Fuzzy Hash: ea134eb4fdc1c367816d14aaefe02adfbf062e2e3c78bbdb3677e1e0e2b24d9b
                                                                  • Instruction Fuzzy Hash: 5C319C75600204BFEB209F64EDA8FA977B9FB64311F214169F940C6AE0D7F89D81CB60
                                                                  Function 000AFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000AFAA6
                                                                  • OleUninitialize.OLE32(?,00000000), ref: 000AFB45
                                                                  • UnregisterHotKey.USER32(?), ref: 000AFC9C
                                                                  • DestroyWindow.USER32(?), ref: 000E45D6
                                                                  • FreeLibrary.KERNEL32(?), ref: 000E463B
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 000E4668
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                  • String ID: close all
                                                                  • API String ID: 469580280-3243417748
                                                                  • Opcode ID: 178ed7e794d58db2ccfae692502093e6652223374e5296f9eeaccc62bcf0b0cc
                                                                  • Instruction ID: 876806d4326b6d185f3189839566f9bf7eb340eec36e70ddec1fd1599fa0ff62
                                                                  • Opcode Fuzzy Hash: 178ed7e794d58db2ccfae692502093e6652223374e5296f9eeaccc62bcf0b0cc
                                                                  • Instruction Fuzzy Hash: 45A16131701212DFCB69EF55C995ABDF3A4BF16710F5042ADE80AAB262CB30AD16CF51
                                                                  Function 000FA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnumChildWindows.USER32(?,000FA439), ref: 000FA377
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ChildEnumWindows
                                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                  • API String ID: 3555792229-1603158881
                                                                  • Opcode ID: c545068a3b16248c535c954c676acf3bb48a4b022fe4ad366d8e011c74b98453
                                                                  • Instruction ID: a5dd957a5b843c985556a4fb7eef7dbcafee17a37077d82ec0dcdb1a3ad4aa59
                                                                  • Opcode Fuzzy Hash: c545068a3b16248c535c954c676acf3bb48a4b022fe4ad366d8e011c74b98453
                                                                  • Instruction Fuzzy Hash: 5091E970704609EACB48DFA4C442BFDFBB4BF05310F508119E95DA7682DF316959EBA1
                                                                  Function 000A2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 000A2EAE
                                                                    • Part of subcall function 000A1DB3: GetClientRect.USER32(?,?), ref: 000A1DDC
                                                                    • Part of subcall function 000A1DB3: GetWindowRect.USER32(?,?), ref: 000A1E1D
                                                                    • Part of subcall function 000A1DB3: ScreenToClient.USER32(?,?), ref: 000A1E45
                                                                  • GetDC.USER32 ref: 000DCD32
                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000DCD45
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 000DCD53
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 000DCD68
                                                                  • ReleaseDC.USER32(?,00000000), ref: 000DCD70
                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000DCDFB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                  • String ID: U
                                                                  • API String ID: 4009187628-3372436214
                                                                  • Opcode ID: 45a329116e8f454d2e76c637c59e087f01c68e50071dd1ea259c67ca8670aaaf
                                                                  • Instruction ID: af1dd18b112877cf2880e6e12622af053c4c01b49113ac06a1029eb23bd6105b
                                                                  • Opcode Fuzzy Hash: 45a329116e8f454d2e76c637c59e087f01c68e50071dd1ea259c67ca8670aaaf
                                                                  • Instruction Fuzzy Hash: E2718F31500206EFDF61CF64CC84EAA7BB6FF49360F14427AED559A2A6C7319C91DB60
                                                                  Function 00126D80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00126E24
                                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 00126E38
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00126E52
                                                                  • _wcscat.LIBCMT ref: 00126EAD
                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00126EC4
                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00126EF2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window_wcscat
                                                                  • String ID: -----$SysListView32
                                                                  • API String ID: 307300125-3975388722
                                                                  • Opcode ID: 3150143817cb7de13ac3d058d51ab420c285b4252a242dc23c57971f6d83dd48
                                                                  • Instruction ID: cac09b5391e366143fcfadd57c58758423994411825947d3b28dadfc493c1903
                                                                  • Opcode Fuzzy Hash: 3150143817cb7de13ac3d058d51ab420c285b4252a242dc23c57971f6d83dd48
                                                                  • Instruction Fuzzy Hash: EE419E74A00358EBDB21DFA4DC85BEE77B8EF08350F10046AF594A72D1D7719D958B60
                                                                  Function 00111A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00111A50
                                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00111A7C
                                                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00111ABE
                                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00111AD3
                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00111AE0
                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00111B10
                                                                  • InternetCloseHandle.WININET(00000000), ref: 00111B57
                                                                    • Part of subcall function 00112483: GetLastError.KERNEL32(?,?,00111817,00000000,00000000,00000001), ref: 00112498
                                                                    • Part of subcall function 00112483: SetEvent.KERNEL32(?,?,00111817,00000000,00000000,00000001), ref: 001124AD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                  • String ID:
                                                                  • API String ID: 2603140658-3916222277
                                                                  • Opcode ID: 4049d7522f3ed1c6bbfa23a29e8fbd8d04a90e5671e096e4f1f1e21a568dabd1
                                                                  • Instruction ID: 71442fbbfe1bfd38cd60e7c6013e4a9834b564f9af344e0e786f26a1a272fdac
                                                                  • Opcode Fuzzy Hash: 4049d7522f3ed1c6bbfa23a29e8fbd8d04a90e5671e096e4f1f1e21a568dabd1
                                                                  • Instruction Fuzzy Hash: 21417DB1505218BFEB198F50CC89FFEBBACEF08354F00413AFA059A141E7709E959BA4
                                                                  Function 00118C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0012F910), ref: 00118D28
                                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0012F910), ref: 00118D5C
                                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00118ED6
                                                                  • SysFreeString.OLEAUT32(?), ref: 00118F00
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                  • String ID:
                                                                  • API String ID: 560350794-0
                                                                  • Opcode ID: e3431b2bb11480a5fbd19cc2a3428b068c3d6ce3926a65f168f628ec67e0031d
                                                                  • Instruction ID: 15dbe77e8040ca3a0e91d3d3d3130b3fa4a88a5057fdced6595d86013c567ec6
                                                                  • Opcode Fuzzy Hash: e3431b2bb11480a5fbd19cc2a3428b068c3d6ce3926a65f168f628ec67e0031d
                                                                  • Instruction Fuzzy Hash: B1F10B71A00209AFDF18DF94C884EEEB7B9FF49314F108568F515AB251DB31AE86CB91
                                                                  Function 0011F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0011F6B5
                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0011F848
                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0011F86C
                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0011F8AC
                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0011F8CE
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0011FA4A
                                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0011FA7C
                                                                  • CloseHandle.KERNEL32(?), ref: 0011FAAB
                                                                  • CloseHandle.KERNEL32(?), ref: 0011FB22
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                  • String ID:
                                                                  • API String ID: 4090791747-0
                                                                  • Opcode ID: 9c3dcdf11cbeee1bd2512c8dc98c00f62969abdc85d7f44ddb973fcc17f6ca53
                                                                  • Instruction ID: fb48ecf14fac1519f8151afb44667921157e279d2881da19471dd2c44fad1de5
                                                                  • Opcode Fuzzy Hash: 9c3dcdf11cbeee1bd2512c8dc98c00f62969abdc85d7f44ddb973fcc17f6ca53
                                                                  • Instruction Fuzzy Hash: 2DE180316043019FC718EF24C891BAEBBE5AF85354F14857DF8959B2A2DB31EC86CB52
                                                                  Function 000A201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000A2036,?,00000000,?,?,?,?,000A16CB,00000000,?), ref: 000A1B9A
                                                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000A20D3
                                                                  • KillTimer.USER32(-00000001,?,?,?,?,000A16CB,00000000,?,?,000A1AE2,?,?), ref: 000A216E
                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 000DBCA6
                                                                  • DeleteObject.GDI32(00000000), ref: 000DBD1C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                  • String ID:
                                                                  • API String ID: 2402799130-0
                                                                  • Opcode ID: 3b4ed9e7b8ec7a73463eed2256348436a2380d4f3eb0d21b0dfc6f0c221a9ae6
                                                                  • Instruction ID: 52a3a70ebd2bbbffafa931efbda3c90aac77e08b0dced674bd5b1df2b327d66d
                                                                  • Opcode Fuzzy Hash: 3b4ed9e7b8ec7a73463eed2256348436a2380d4f3eb0d21b0dfc6f0c221a9ae6
                                                                  • Instruction Fuzzy Hash: 0E615831510B01EFCB359F59DD48B29B7F2FB51312F508539E5828BE61C7B1A8A2DBA0
                                                                  Function 00104CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0010466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00103697,?), ref: 0010468B
                                                                    • Part of subcall function 0010466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00103697,?), ref: 001046A4
                                                                    • Part of subcall function 00104A31: GetFileAttributesW.KERNEL32(?,0010370B), ref: 00104A32
                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00104D40
                                                                  • _wcscmp.LIBCMT ref: 00104D5A
                                                                  • MoveFileW.KERNEL32(?,?), ref: 00104D75
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 793581249-0
                                                                  • Opcode ID: ca98875b89fe95ff5c6e8290e24bea0da69967b642b7549590a84ab1ce1277d9
                                                                  • Instruction ID: 879ae572b63e4ccfc2fca6475e5093c0e7c6ead82a3c2e2859c343e5a33ebd4c
                                                                  • Opcode Fuzzy Hash: ca98875b89fe95ff5c6e8290e24bea0da69967b642b7549590a84ab1ce1277d9
                                                                  • Instruction Fuzzy Hash: 135141B20083459BC724DBA4D881DDFB3ECAF95350F00492EB2C9D3192EF75A589C766
                                                                  Function 00128645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001286FF
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: InvalidateRect
                                                                  • String ID:
                                                                  • API String ID: 634782764-0
                                                                  • Opcode ID: a4e7cd6fa576e4ae7f480261de60710d36558dc9c6acbd8d88795f104ec98458
                                                                  • Instruction ID: 6b28a9ad6cbcd23675f708e829911f686912bcd9e05fa4277256e1d2b40f1d29
                                                                  • Opcode Fuzzy Hash: a4e7cd6fa576e4ae7f480261de60710d36558dc9c6acbd8d88795f104ec98458
                                                                  • Instruction Fuzzy Hash: 7651C030602274BFEB249F28EC89FAD7BA5EB05324F604125F910E65A1CF75A9B0CB40
                                                                  Function 000A2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 000DC2F7
                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000DC319
                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000DC331
                                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 000DC34F
                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000DC370
                                                                  • DestroyCursor.USER32(00000000), ref: 000DC37F
                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000DC39C
                                                                  • DestroyCursor.USER32(?), ref: 000DC3AB
                                                                    • Part of subcall function 0012A4AF: DeleteObject.GDI32(00000000), ref: 0012A4E8
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                                                  • String ID:
                                                                  • API String ID: 2975913752-0
                                                                  • Opcode ID: deb646ce20d8a775e0411cd874b46aa969a794d0860a0b4ad13238b39bac8a43
                                                                  • Instruction ID: 825a249b99ad625bc7ee147007296855d1012a3d01874f494130f8eea554d246
                                                                  • Opcode Fuzzy Hash: deb646ce20d8a775e0411cd874b46aa969a794d0860a0b4ad13238b39bac8a43
                                                                  • Instruction Fuzzy Hash: 24515970A1020AAFDB24DFA9CC45FAE7BF5EB19310F104529F94297690D7B0EDA1DB60
                                                                  Function 000F966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000FA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 000FA84C
                                                                    • Part of subcall function 000FA82C: GetCurrentThreadId.KERNEL32 ref: 000FA853
                                                                    • Part of subcall function 000FA82C: AttachThreadInput.USER32(00000000,?,000F9683,?,00000001), ref: 000FA85A
                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 000F968E
                                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000F96AB
                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 000F96AE
                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 000F96B7
                                                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 000F96D5
                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 000F96D8
                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 000F96E1
                                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 000F96F8
                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 000F96FB
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                  • String ID:
                                                                  • API String ID: 2014098862-0
                                                                  • Opcode ID: bd96951706fb3c6b686bd6d70a9466d225ab3d78a469236ea53b77d7b1128c19
                                                                  • Instruction ID: 95ee828f3526c1171460891b6777d7efecd767051e80b81b48d6d62c68c68f9b
                                                                  • Opcode Fuzzy Hash: bd96951706fb3c6b686bd6d70a9466d225ab3d78a469236ea53b77d7b1128c19
                                                                  • Instruction Fuzzy Hash: 0E11E5B1910218BEF6206F60DC49FBA3B2DDB4C791F500439F344AB4A1CAF25C62DAA4
                                                                  Function 000F8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C), ref: 000F892A
                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 000F8931
                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 000F8946
                                                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 000F894E
                                                                  • DuplicateHandle.KERNEL32(00000000), ref: 000F8951
                                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 000F8961
                                                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 000F8969
                                                                  • DuplicateHandle.KERNEL32(00000000), ref: 000F896C
                                                                  • CreateThread.KERNEL32(00000000,00000000,000F8992,00000000,00000000,00000000), ref: 000F8986
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                                                  • String ID:
                                                                  • API String ID: 1422014791-0
                                                                  • Opcode ID: 02e7516a1aea4eb138b45861c2e4df6522459c1185b8b3bd7b99c6b21afbad4b
                                                                  • Instruction ID: 11be64d71f25a2b2640a092abe8d9a09b79b413562240474f55278231d7b9220
                                                                  • Opcode Fuzzy Hash: 02e7516a1aea4eb138b45861c2e4df6522459c1185b8b3bd7b99c6b21afbad4b
                                                                  • Instruction Fuzzy Hash: 3C01BF75640308FFE720ABA5DD4EF673B6CEB89711F408425FA05DB591CA709862CB20
                                                                  Function 00119B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                                  • API String ID: 0-572801152
                                                                  • Opcode ID: dec511e2d2e2a6ee8c035c61127c523e0f259afa1451f78dddb2032c8943839c
                                                                  • Instruction ID: 5cb92e3b02d1447d2945f1d62a8e67acce8934a21e206c51114d7359d0943803
                                                                  • Opcode Fuzzy Hash: dec511e2d2e2a6ee8c035c61127c523e0f259afa1451f78dddb2032c8943839c
                                                                  • Instruction Fuzzy Hash: 78C1C371A002099FDF18DFA8D894BEEB7F5FB48314F148479E915AB281E770AD81CB90
                                                                  Function 0011975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000F710A: CLSIDFromProgID.COMBASE ref: 000F7127
                                                                    • Part of subcall function 000F710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 000F7142
                                                                    • Part of subcall function 000F710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000F7044,80070057,?,?), ref: 000F7150
                                                                    • Part of subcall function 000F710A: CoTaskMemFree.COMBASE(00000000), ref: 000F7160
                                                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00119806
                                                                  • _memset.LIBCMT ref: 00119813
                                                                  • _memset.LIBCMT ref: 00119956
                                                                  • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00119982
                                                                  • CoTaskMemFree.COMBASE(?), ref: 0011998D
                                                                  Strings
                                                                  • NULL Pointer assignment, xrefs: 001199DB
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                  • String ID: NULL Pointer assignment
                                                                  • API String ID: 1300414916-2785691316
                                                                  • Opcode ID: a3f98e7a52cc277f29754fa004a2716a1d335d9769ce5feebc87bd7aa71001c3
                                                                  • Instruction ID: 5bb7842e47b5d1e797b28af475faf609c46bbb4b26d25a34f250bb97cfc62d70
                                                                  • Opcode Fuzzy Hash: a3f98e7a52cc277f29754fa004a2716a1d335d9769ce5feebc87bd7aa71001c3
                                                                  • Instruction Fuzzy Hash: 22912671D00229EBDB14DFA5DC51EDEBBB9BF09310F10416AF519A7281DB71AA44CFA0
                                                                  Function 0011E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00103C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00103C7A
                                                                    • Part of subcall function 00103C55: Process32FirstW.KERNEL32(00000000,?), ref: 00103C88
                                                                    • Part of subcall function 00103C55: CloseHandle.KERNEL32(00000000), ref: 00103D52
                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0011E9A4
                                                                  • GetLastError.KERNEL32 ref: 0011E9B7
                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0011E9E6
                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 0011EA63
                                                                  • GetLastError.KERNEL32(00000000), ref: 0011EA6E
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0011EAA3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                  • String ID: SeDebugPrivilege
                                                                  • API String ID: 2533919879-2896544425
                                                                  • Opcode ID: e178b64f40fb7ab99026c3c3d732ee813c484175de41b3d91a3c67b8d87f17db
                                                                  • Instruction ID: ee717c6a6a34b487cc6b8f40bd52218a0125501cfeb8d7f137e4bc701ec92fad
                                                                  • Opcode Fuzzy Hash: e178b64f40fb7ab99026c3c3d732ee813c484175de41b3d91a3c67b8d87f17db
                                                                  • Instruction Fuzzy Hash: 1341AC302002019FDB28EF94DCA5FAEB7E5AF41714F048468F9029B2D3CB75A895CB91
                                                                  Function 00102F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 00103033
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: IconLoad
                                                                  • String ID: blank$info$question$stop$warning
                                                                  • API String ID: 2457776203-404129466
                                                                  • Opcode ID: 7fe4a269ba100ff6a5647fe4a16498ab49db1a32175fe632dccf87586d5e9969
                                                                  • Instruction ID: 0ea0adb5fc813d98c3c819f96dcfc7d8397a145c040adefc323ac8f829c37e47
                                                                  • Opcode Fuzzy Hash: 7fe4a269ba100ff6a5647fe4a16498ab49db1a32175fe632dccf87586d5e9969
                                                                  • Instruction Fuzzy Hash: 69113A35349386BEE7199B54DC42DAF77ACDF15360B20402EF960BA5C2EBF05F4456A0
                                                                  Function 001042F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00104312
                                                                  • LoadStringW.USER32(00000000), ref: 00104319
                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0010432F
                                                                  • LoadStringW.USER32(00000000), ref: 00104336
                                                                  • _wprintf.LIBCMT ref: 0010435C
                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0010437A
                                                                  Strings
                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 00104357
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                  • API String ID: 3648134473-3128320259
                                                                  • Opcode ID: 3b8d0d1ccb83e3d6a82f5b8d88f6a0cddcad8a615a685e213ca8d2bc11977fb1
                                                                  • Instruction ID: a1a17eafe818c972f893826a11559fa63719cabd1c3b9fcacc80d8224c37615b
                                                                  • Opcode Fuzzy Hash: 3b8d0d1ccb83e3d6a82f5b8d88f6a0cddcad8a615a685e213ca8d2bc11977fb1
                                                                  • Instruction Fuzzy Hash: 06018FF280020CBFE72097A0DD89EEA777CEB08300F4000B9BB45E6051EA705ED64B70
                                                                  Function 000A2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,000DC1C7,00000004,00000000,00000000,00000000), ref: 000A2ACF
                                                                  • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,000DC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 000A2B17
                                                                  • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,000DC1C7,00000004,00000000,00000000,00000000), ref: 000DC21A
                                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,000DC1C7,00000004,00000000,00000000,00000000), ref: 000DC286
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ShowWindow
                                                                  • String ID:
                                                                  • API String ID: 1268545403-0
                                                                  • Opcode ID: 273d2cbe616ee4854282fe058a4b80917fc7b56652bbcf189279bf04801c7533
                                                                  • Instruction ID: 5ab5b3536992925abdc22506f564a60c557838c475a2a060efd60afc7a8009cf
                                                                  • Opcode Fuzzy Hash: 273d2cbe616ee4854282fe058a4b80917fc7b56652bbcf189279bf04801c7533
                                                                  • Instruction Fuzzy Hash: 3D411B31604780ABD7758BAC9D88B7F7BE3AF57310F15843EE04782A61C7709882D722
                                                                  Function 001070C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 001070DD
                                                                    • Part of subcall function 000C0DB6: std::exception::exception.LIBCMT ref: 000C0DEC
                                                                    • Part of subcall function 000C0DB6: __CxxThrowException@8.LIBCMT ref: 000C0E01
                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00107114
                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 00107130
                                                                  • _memmove.LIBCMT ref: 0010717E
                                                                  • _memmove.LIBCMT ref: 0010719B
                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 001071AA
                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 001071BF
                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 001071DE
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 256516436-0
                                                                  • Opcode ID: 357ec7cdccfe91109d5c791cabe9afa71c884631efebad8b681cc30468ed5bca
                                                                  • Instruction ID: e1600b4b37cc99ed0efc164fdf5e8ec315a41618becaaf5f0546c2368df93f9a
                                                                  • Opcode Fuzzy Hash: 357ec7cdccfe91109d5c791cabe9afa71c884631efebad8b681cc30468ed5bca
                                                                  • Instruction Fuzzy Hash: 85315D71900205EBCB10EFA4DD85EAEB778EF45710F1541B9F904AB296DB70EE61CBA0
                                                                  Function 001261D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteObject.GDI32(00000000), ref: 001261EB
                                                                  • GetDC.USER32(00000000), ref: 001261F3
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001261FE
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0012620A
                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00126246
                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00126257
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0012902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00126291
                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001262B1
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 3864802216-0
                                                                  • Opcode ID: 6247bad1e8d39e9fb1956ba547cbf861228b89f9899dadeda85a777ee580207f
                                                                  • Instruction ID: 58b14335d48144636cebba09b9d506cdcef4a13ab4de2577759d8a94cee49067
                                                                  • Opcode Fuzzy Hash: 6247bad1e8d39e9fb1956ba547cbf861228b89f9899dadeda85a777ee580207f
                                                                  • Instruction Fuzzy Hash: 40317F76101210BFEB218F50DC8AFEB3BA9EF49765F044069FE089A191D7759CA2CB64
                                                                  Function 000FBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memcmp
                                                                  • String ID:
                                                                  • API String ID: 2931989736-0
                                                                  • Opcode ID: b5a1c98f0ff5a118d60734d07f76500972b8b6aadd0fadbef7e5267a3121c925
                                                                  • Instruction ID: 5a0af59b6c0147daf1cfc9f900496dc970ea2036cc02ce3638d338ae14575746
                                                                  • Opcode Fuzzy Hash: b5a1c98f0ff5a118d60734d07f76500972b8b6aadd0fadbef7e5267a3121c925
                                                                  • Instruction Fuzzy Hash: 0E219D7160120D7BE6187721DD42FFFB79DAF15388F084024FE0496A87EBA4DE11AAE1
                                                                  Function 000A1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b1a5d775f7eafab9c1e02a604f0b39eb58d3ec877ede14eefd037ba417024448
                                                                  • Instruction ID: c1f0e94aa6e09c75c04e8234fef40695b252e675bf6796c5f37b6e7230a7914a
                                                                  • Opcode Fuzzy Hash: b1a5d775f7eafab9c1e02a604f0b39eb58d3ec877ede14eefd037ba417024448
                                                                  • Instruction Fuzzy Hash: FE716B34904109FFCB14CF98CC49AFEBBB9FF8A350F148159F915AA251C734AA52CBA4
                                                                  Function 0012B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindow.USER32(01282378), ref: 0012B3EB
                                                                  • IsWindowEnabled.USER32(01282378), ref: 0012B3F7
                                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0012B4DB
                                                                  • SendMessageW.USER32(01282378,000000B0,?,?), ref: 0012B512
                                                                  • IsDlgButtonChecked.USER32(?,?), ref: 0012B54F
                                                                  • GetWindowLongW.USER32(01282378,000000EC), ref: 0012B571
                                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0012B589
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                  • String ID:
                                                                  • API String ID: 4072528602-0
                                                                  • Opcode ID: 4e178c7b418993b8e2cc494d027327b484cdaf12870c900c8f7e9557d506993e
                                                                  • Instruction ID: e73b974647caadbccf6ca5108045416cc8ddd78f4833a38ee0afdd06e8569daf
                                                                  • Opcode Fuzzy Hash: 4e178c7b418993b8e2cc494d027327b484cdaf12870c900c8f7e9557d506993e
                                                                  • Instruction Fuzzy Hash: 7471D434608264EFDB24EF54E8D4FBA77B9FF09300F144069FA42972A2D731A9A1DB50
                                                                  Function 0011F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0011F448
                                                                  • _memset.LIBCMT ref: 0011F511
                                                                  • ShellExecuteExW.SHELL32(?), ref: 0011F556
                                                                    • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                                    • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                                    • Part of subcall function 000BFC86: _wcscpy.LIBCMT ref: 000BFCA9
                                                                  • GetProcessId.KERNEL32(00000000), ref: 0011F5CD
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0011F5FC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                  • String ID: @
                                                                  • API String ID: 3522835683-2766056989
                                                                  • Opcode ID: c9c6931ed4ff7a829ff825422cee16f5a0f8a7a8809c65d7cc27a7f6f21f7984
                                                                  • Instruction ID: 9038612d309cc9a972cab702caa4e7ad8893f97ae2db7c2126323e30a996683f
                                                                  • Opcode Fuzzy Hash: c9c6931ed4ff7a829ff825422cee16f5a0f8a7a8809c65d7cc27a7f6f21f7984
                                                                  • Instruction Fuzzy Hash: 6A61AE75A006199FCB18DF94C8819EEBBB5FF49310F14806DE815AB752CB34AD82CB90
                                                                  Function 00100F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 00100F8C
                                                                  • GetKeyboardState.USER32(?), ref: 00100FA1
                                                                  • SetKeyboardState.USER32(?), ref: 00101002
                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00101030
                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 0010104F
                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00101095
                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 001010B8
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                  • String ID:
                                                                  • API String ID: 87235514-0
                                                                  • Opcode ID: b14479d3a9616f778b3c327b5670483423a042d1ff9a2c8f98c2670be2233087
                                                                  • Instruction ID: 874bdc5867c8917ee9d163a097f943b2e686d1700d0f82575774903ac3a0cd0a
                                                                  • Opcode Fuzzy Hash: b14479d3a9616f778b3c327b5670483423a042d1ff9a2c8f98c2670be2233087
                                                                  • Instruction Fuzzy Hash: B151E4B06047D63EFB3642348C45BBABEA96B06304F088589F1D4868D3C3E9DCD9D751
                                                                  Function 00100D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(00000000), ref: 00100DA5
                                                                  • GetKeyboardState.USER32(?), ref: 00100DBA
                                                                  • SetKeyboardState.USER32(?), ref: 00100E1B
                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00100E47
                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00100E64
                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00100EA8
                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00100EC9
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                  • String ID:
                                                                  • API String ID: 87235514-0
                                                                  • Opcode ID: 974c508b3ed6f89fa093222c4fc18feddfee5dfbd95ee0ad540ba75097b5d0cf
                                                                  • Instruction ID: 6f17bf49137b404f598f585bf2611be49450887695e6b4e6d42640369be22848
                                                                  • Opcode Fuzzy Hash: 974c508b3ed6f89fa093222c4fc18feddfee5dfbd95ee0ad540ba75097b5d0cf
                                                                  • Instruction Fuzzy Hash: 8051E4B05086D53EFB338364CC45BBA7FA95B0A300F08889DE1D4568C2C3D5AC99E760
                                                                  Function 001055FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _wcsncpy$LocalTime
                                                                  • String ID:
                                                                  • API String ID: 2945705084-0
                                                                  • Opcode ID: 86ade2e531821044c123afb8336d54ca9d4ac285190e452db5e77566f4c569b6
                                                                  • Instruction ID: b6750885a6343e436d63822ee2fecc7393fb5f136c78e8889f95462bcfab263c
                                                                  • Opcode Fuzzy Hash: 86ade2e531821044c123afb8336d54ca9d4ac285190e452db5e77566f4c569b6
                                                                  • Instruction Fuzzy Hash: 2741D679C5061876CB11EBF48C46EDFB7B9AF04310F50885AE508E3262FB34E645CBA6
                                                                  Function 00103671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0010466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00103697,?), ref: 0010468B
                                                                    • Part of subcall function 0010466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00103697,?), ref: 001046A4
                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 001036B7
                                                                  • _wcscmp.LIBCMT ref: 001036D3
                                                                  • MoveFileW.KERNEL32(?,?), ref: 001036EB
                                                                  • _wcscat.LIBCMT ref: 00103733
                                                                  • SHFileOperationW.SHELL32(?), ref: 0010379F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                  • String ID: \*.*
                                                                  • API String ID: 1377345388-1173974218
                                                                  • Opcode ID: 356ad29e06fbddfd5586badbf964be82a64ce6dc16c4f8335328a698ab3befd9
                                                                  • Instruction ID: c2c8546185e2b42e854f8d382690875a764ceca13b4e121482a8e1b66bce8a5c
                                                                  • Opcode Fuzzy Hash: 356ad29e06fbddfd5586badbf964be82a64ce6dc16c4f8335328a698ab3befd9
                                                                  • Instruction Fuzzy Hash: D4416EB1508344AEC755EF64C441ADFB7ECAF89380F40082EB4DAC3291EB75D689C752
                                                                  Function 00127291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 001272AA
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00127351
                                                                  • IsMenu.USER32(?), ref: 00127369
                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001273B1
                                                                  • DrawMenuBar.USER32 ref: 001273C4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$DrawInfoInsert_memset
                                                                  • String ID: 0
                                                                  • API String ID: 3866635326-4108050209
                                                                  • Opcode ID: 5a6c2e12682406fffec4da3c560804f0554c913372f48b5621e9eab5d800bf09
                                                                  • Instruction ID: 6e320bb33da02459ff18b9bea338fdeb656a0cb8b37c31b323c6f5d981f0d78a
                                                                  • Opcode Fuzzy Hash: 5a6c2e12682406fffec4da3c560804f0554c913372f48b5621e9eab5d800bf09
                                                                  • Instruction Fuzzy Hash: 3D413675A04219EFDB20DF51E884E9ABBF9FB08350F148429FD45AB290D730AD60DF90
                                                                  Function 00120FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00120FD4
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00120FFE
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 001210B5
                                                                    • Part of subcall function 00120FA5: RegCloseKey.ADVAPI32(?), ref: 0012101B
                                                                    • Part of subcall function 00120FA5: FreeLibrary.KERNEL32(?), ref: 0012106D
                                                                    • Part of subcall function 00120FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00121090
                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00121058
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                  • String ID:
                                                                  • API String ID: 395352322-0
                                                                  • Opcode ID: befc4ab77e8c9106b912da0a53d2f8d8b4f8e3efcb20ba7f1a478db60e67eed5
                                                                  • Instruction ID: 666c9e6578a2c3bccd684aa500c4029465226ab94daf4f3c650f08f89e598f53
                                                                  • Opcode Fuzzy Hash: befc4ab77e8c9106b912da0a53d2f8d8b4f8e3efcb20ba7f1a478db60e67eed5
                                                                  • Instruction Fuzzy Hash: 7831EA71901119BFDB25DF90EC89EFFB7BCEB18300F000269F501A2151EB749E969AA4
                                                                  Function 001262CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001262EC
                                                                  • GetWindowLongW.USER32(01282378,000000F0), ref: 0012631F
                                                                  • GetWindowLongW.USER32(01282378,000000F0), ref: 00126354
                                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00126386
                                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001263B0
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 001263C1
                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001263DB
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow$MessageSend
                                                                  • String ID:
                                                                  • API String ID: 2178440468-0
                                                                  • Opcode ID: adb4bf80303d649e20ff0e5b8080f380b8e50b3ebfc21d48646ca08c139454a5
                                                                  • Instruction ID: 0382fddd146e3a6f9b8466b86ca335bc000266c79e1f10132b43a410bd7701ab
                                                                  • Opcode Fuzzy Hash: adb4bf80303d649e20ff0e5b8080f380b8e50b3ebfc21d48646ca08c139454a5
                                                                  • Instruction Fuzzy Hash: FF311230640260AFDB20CF19EC84F5537E6FB4A754F1941A8F5459F6F2CB71ACA19B90
                                                                  Function 000FDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000FDB2E
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000FDB54
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 000FDB57
                                                                  • SysAllocString.OLEAUT32(?), ref: 000FDB75
                                                                  • SysFreeString.OLEAUT32(?), ref: 000FDB7E
                                                                  • StringFromGUID2.COMBASE(?,?,00000028), ref: 000FDBA3
                                                                  • SysAllocString.OLEAUT32(?), ref: 000FDBB1
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                  • String ID:
                                                                  • API String ID: 3761583154-0
                                                                  • Opcode ID: deda59ff3dec73208d23550233842443144d0b8452e8158cc64d3543c5cbf07a
                                                                  • Instruction ID: 2c6b51d97880e24441571d65ff5adf06e447f474adad6f984ff4446621af0b28
                                                                  • Opcode Fuzzy Hash: deda59ff3dec73208d23550233842443144d0b8452e8158cc64d3543c5cbf07a
                                                                  • Instruction Fuzzy Hash: AF217436600219AFDB10AFA8DC48DBB73EDEB09360B01857AFA14DB551D7709C429760
                                                                  Function 00116173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00117D8B: inet_addr.WS2_32(00000000), ref: 00117DB6
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 001161C6
                                                                  • WSAGetLastError.WS2_32(00000000), ref: 001161D5
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 0011620E
                                                                  • connect.WSOCK32(00000000,?,00000010), ref: 00116217
                                                                  • WSAGetLastError.WS2_32 ref: 00116221
                                                                  • closesocket.WS2_32(00000000), ref: 0011624A
                                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00116263
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                  • String ID:
                                                                  • API String ID: 910771015-0
                                                                  • Opcode ID: f1e30579487ea873af7fe35a11bed350c93af378f8282aebb508ec6db18ca4a8
                                                                  • Instruction ID: aa11fcd8ca6b61cb15219607351e29258da2b072504c1a6b17fd4bb0ec1fd3b5
                                                                  • Opcode Fuzzy Hash: f1e30579487ea873af7fe35a11bed350c93af378f8282aebb508ec6db18ca4a8
                                                                  • Instruction Fuzzy Hash: B231AF31600118ABDF24AF64CC85BFE7BB9EB45720F044039FD05A7292CB75AC959BA1
                                                                  Function 000FF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                  • API String ID: 1038674560-2734436370
                                                                  • Opcode ID: 36bad16e06f72d521c6b9bf3833ce4084ec65268acb4a51803ab7348a45f7243
                                                                  • Instruction ID: 420e6a8932a105124424937099e98900324043fb32439fead4955fa6165f67d8
                                                                  • Opcode Fuzzy Hash: 36bad16e06f72d521c6b9bf3833ce4084ec65268acb4a51803ab7348a45f7243
                                                                  • Instruction Fuzzy Hash: 442126722086166AD230BB34AC03FFFB3D8EF55390F144439FA46D6992EFA19D41E295
                                                                  Function 000FDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000FDC09
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000FDC2F
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 000FDC32
                                                                  • SysAllocString.OLEAUT32 ref: 000FDC53
                                                                  • SysFreeString.OLEAUT32 ref: 000FDC5C
                                                                  • StringFromGUID2.COMBASE(?,?,00000028), ref: 000FDC76
                                                                  • SysAllocString.OLEAUT32(?), ref: 000FDC84
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                  • String ID:
                                                                  • API String ID: 3761583154-0
                                                                  • Opcode ID: 257605c794889509f33e7978712ecc37396910d84a56dfff70048e2723e7e983
                                                                  • Instruction ID: 15a6221415546daf85da54595dfac8e33604994ce9012ad9e6d63842a8ff3871
                                                                  • Opcode Fuzzy Hash: 257605c794889509f33e7978712ecc37396910d84a56dfff70048e2723e7e983
                                                                  • Instruction Fuzzy Hash: FA213735604109BF9B24EFA8DC89DBB77EDEB09360B108136FA15CB661D6B0DC42D764
                                                                  Function 001275CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000A1D73
                                                                    • Part of subcall function 000A1D35: GetStockObject.GDI32(00000011), ref: 000A1D87
                                                                    • Part of subcall function 000A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000A1D91
                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00127632
                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0012763F
                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0012764A
                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00127659
                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00127665
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                  • String ID: Msctls_Progress32
                                                                  • API String ID: 1025951953-3636473452
                                                                  • Opcode ID: 3c904c8f5ad0ca9a6639441628b98c73a5855c2023a825c9c0f997474d72baaf
                                                                  • Instruction ID: d0e45bc1c84b8538b6ee00ab36c6a03f88a170c102bdf391f7816d2878ca6a8c
                                                                  • Opcode Fuzzy Hash: 3c904c8f5ad0ca9a6639441628b98c73a5855c2023a825c9c0f997474d72baaf
                                                                  • Instruction Fuzzy Hash: 8211B2B2110229BFFF158F64DC85EE7BF6DEF08798F014114BA04A60A0DB729C21DBA4
                                                                  Function 000C9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __init_pointers.LIBCMT ref: 000C9AE6
                                                                    • Part of subcall function 000C3187: RtlEncodePointer.NTDLL(00000000), ref: 000C318A
                                                                    • Part of subcall function 000C3187: __initp_misc_winsig.LIBCMT ref: 000C31A5
                                                                    • Part of subcall function 000C3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 000C9EA0
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 000C9EB4
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 000C9EC7
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 000C9EDA
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 000C9EED
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 000C9F00
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 000C9F13
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 000C9F26
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 000C9F39
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 000C9F4C
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 000C9F5F
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 000C9F72
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 000C9F85
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 000C9F98
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 000C9FAB
                                                                    • Part of subcall function 000C3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 000C9FBE
                                                                  • __mtinitlocks.LIBCMT ref: 000C9AEB
                                                                  • __mtterm.LIBCMT ref: 000C9AF4
                                                                    • Part of subcall function 000C9B5C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 000C9C56
                                                                    • Part of subcall function 000C9B5C: _free.LIBCMT ref: 000C9C5D
                                                                    • Part of subcall function 000C9B5C: RtlDeleteCriticalSection.NTDLL(0015EC00), ref: 000C9C7F
                                                                  • __calloc_crt.LIBCMT ref: 000C9B19
                                                                  • __initptd.LIBCMT ref: 000C9B3B
                                                                  • GetCurrentThreadId.KERNEL32 ref: 000C9B42
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                  • String ID:
                                                                  • API String ID: 3567560977-0
                                                                  • Opcode ID: 5098bc5131fda1fcd9ea2878944dfbc50edcfd32739ce2e3377189b649d69bbd
                                                                  • Instruction ID: 08605646cbc338bc454e9fe711777057b939d3646c590b33cdd4870b1748eebc
                                                                  • Opcode Fuzzy Hash: 5098bc5131fda1fcd9ea2878944dfbc50edcfd32739ce2e3377189b649d69bbd
                                                                  • Instruction Fuzzy Hash: 79F06D325197116AE6747B74BC0BFCE26D0AF02734F214A2EF4649A4D3EF20994145A5
                                                                  Function 000C406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000C3F85), ref: 000C4085
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 000C408C
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 000C4097
                                                                  • RtlDecodePointer.NTDLL(000C3F85), ref: 000C40B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                  • String ID: RoUninitialize$combase.dll
                                                                  • API String ID: 3489934621-2819208100
                                                                  • Opcode ID: 427531a19eb75e8caba4881da72572239a0791f84f1f975477765707bc3d82a4
                                                                  • Instruction ID: 01ee36dd314deba3393cf2609ea40d64d0c611008b111a24cb063928c7ca5178
                                                                  • Opcode Fuzzy Hash: 427531a19eb75e8caba4881da72572239a0791f84f1f975477765707bc3d82a4
                                                                  • Instruction Fuzzy Hash: FBE09270581300EFEA60AFA1ED09B053AB4B705B42F104038F521E19A0CBB686A6DA24
                                                                  Function 00116B03 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __WSAFDIsSet.WS2_32(00000000,?), ref: 00116C00
                                                                  • WSAGetLastError.WS2_32(00000000), ref: 00116C34
                                                                  • htons.WS2_32(?), ref: 00116CEA
                                                                  • inet_ntoa.WS2_32(?), ref: 00116CA7
                                                                    • Part of subcall function 000FA7E9: _strlen.LIBCMT ref: 000FA7F3
                                                                    • Part of subcall function 000FA7E9: _memmove.LIBCMT ref: 000FA815
                                                                  • _strlen.LIBCMT ref: 00116D44
                                                                  • _memmove.LIBCMT ref: 00116DAD
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                  • String ID:
                                                                  • API String ID: 3619996494-0
                                                                  • Opcode ID: 55064c10c2d5aa0a1d81842fca0a9ce5c74914ce836bfe8f699e2f96d8f4f430
                                                                  • Instruction ID: 9006d4589a9e5169c078c80fef0aabc4636b45eac97cba3fb53496eba3e1e3a4
                                                                  • Opcode Fuzzy Hash: 55064c10c2d5aa0a1d81842fca0a9ce5c74914ce836bfe8f699e2f96d8f4f430
                                                                  • Instruction Fuzzy Hash: 7181C171208300ABCB14EBA4DC82FEFB7A8AF95714F14492CF9559B2D2DB719D41CB92
                                                                  Function 001064B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove$__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 3253778849-0
                                                                  • Opcode ID: 7a9d2276f8bc6090ad2ff2e4bc0facee7f220cdfea25bb18be49390af5a0a179
                                                                  • Instruction ID: a29986dffc6cee0f74ec6f39454c2c2e03118ebede4a192f0fc5b5b2234b3d9d
                                                                  • Opcode Fuzzy Hash: 7a9d2276f8bc6090ad2ff2e4bc0facee7f220cdfea25bb18be49390af5a0a179
                                                                  • Instruction Fuzzy Hash: 68617A3060065A9BCF05EFA0CC82EFF37A9AF06308F054529F8995B293DB75A915DB50
                                                                  Function 001201E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                    • Part of subcall function 00120E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011FDAD,?,?), ref: 00120E31
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001202BD
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001202FD
                                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00120320
                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00120349
                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0012038C
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00120399
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                  • String ID:
                                                                  • API String ID: 4046560759-0
                                                                  • Opcode ID: eea3845df8e3eb6e5839c1c55af07be05313ffbacfa9bd29ea8f4b896ea88609
                                                                  • Instruction ID: 5e0dd9a4f1ac0f3199727886841d13cb1edf756321fbc3b1137cafa55c759bc2
                                                                  • Opcode Fuzzy Hash: eea3845df8e3eb6e5839c1c55af07be05313ffbacfa9bd29ea8f4b896ea88609
                                                                  • Instruction Fuzzy Hash: 6D515831208204AFC715EF64D885EAFBBE9FF89314F044A2DF5458B2A2DB31E915CB52
                                                                  Function 00125799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenu.USER32(?), ref: 001257FB
                                                                  • GetMenuItemCount.USER32(00000000), ref: 00125832
                                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0012585A
                                                                  • GetMenuItemID.USER32(?,?), ref: 001258C9
                                                                  • GetSubMenu.USER32(?,?), ref: 001258D7
                                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 00125928
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$CountMessagePostString
                                                                  • String ID:
                                                                  • API String ID: 650687236-0
                                                                  • Opcode ID: 4cf9b241a9a08b20ff57cc5f572542f158642af1ca5724cb1fbb06f3263d08ec
                                                                  • Instruction ID: 99ab7cb65b89d30d564c2944caef26d107d28a80f751cb59cc72b70da2351e91
                                                                  • Opcode Fuzzy Hash: 4cf9b241a9a08b20ff57cc5f572542f158642af1ca5724cb1fbb06f3263d08ec
                                                                  • Instruction Fuzzy Hash: 57515C31A00625EFCF15EFA4D885AAEBBB5EF49310F104069E841AB352CB74AE51CB90
                                                                  Function 000FEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 000FEF06
                                                                  • VariantClear.OLEAUT32(00000013), ref: 000FEF78
                                                                  • VariantClear.OLEAUT32(00000000), ref: 000FEFD3
                                                                  • _memmove.LIBCMT ref: 000FEFFD
                                                                  • VariantClear.OLEAUT32(?), ref: 000FF04A
                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000FF078
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Clear$ChangeInitType_memmove
                                                                  • String ID:
                                                                  • API String ID: 1101466143-0
                                                                  • Opcode ID: 3fbfdeaace34ce3a3d1ad9bdacf356c142bed7f8077b6cbcfcb2111fa7a72bf0
                                                                  • Instruction ID: 83bac307e8987f3f6dbfb1298a2d6ac2408392dbc42a768755d6f2f6bb117828
                                                                  • Opcode Fuzzy Hash: 3fbfdeaace34ce3a3d1ad9bdacf356c142bed7f8077b6cbcfcb2111fa7a72bf0
                                                                  • Instruction Fuzzy Hash: 52516CB5A00209EFCB14DF58C884AAAB7F8FF4C310F158569EA49DB301E731E951CBA0
                                                                  Function 0010220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00102258
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001022A3
                                                                  • IsMenu.USER32(00000000), ref: 001022C3
                                                                  • CreatePopupMenu.USER32 ref: 001022F7
                                                                  • GetMenuItemCount.USER32(000000FF), ref: 00102355
                                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00102386
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                  • String ID:
                                                                  • API String ID: 3311875123-0
                                                                  • Opcode ID: 9d50e074986e565c4833eb72f112d090b49c6f0de0aeae5e3eb5dee02c02ad75
                                                                  • Instruction ID: 4a96517cd69d1853f52c306f2ff87d754c433c6e0e12cd23953c7db1328135a9
                                                                  • Opcode Fuzzy Hash: 9d50e074986e565c4833eb72f112d090b49c6f0de0aeae5e3eb5dee02c02ad75
                                                                  • Instruction Fuzzy Hash: 1C51CE30A00209EBDF25CF68C88CBAEBBF5BF19314F148129E895AB2D0D3B48945CB51
                                                                  Function 000A1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                  • BeginPaint.USER32(?,?,?,?,?,?), ref: 000A179A
                                                                  • GetWindowRect.USER32(?,?), ref: 000A17FE
                                                                  • ScreenToClient.USER32(?,?), ref: 000A181B
                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000A182C
                                                                  • EndPaint.USER32(?,?), ref: 000A1876
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                  • String ID:
                                                                  • API String ID: 1827037458-0
                                                                  • Opcode ID: 51c9e07cdf41c111782ae53926e7fa1f1f38ec4596aa3707ee73e448593f0ec2
                                                                  • Instruction ID: 54622aa1f615bfb4df3447876f8af2406a4e5f50f5c271476ff9915faf964b6e
                                                                  • Opcode Fuzzy Hash: 51c9e07cdf41c111782ae53926e7fa1f1f38ec4596aa3707ee73e448593f0ec2
                                                                  • Instruction Fuzzy Hash: 6141A030504700EFD720DF65CC84BFA7BF9EB46724F044629F5A48B6A2CB709856DB61
                                                                  Function 0012B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(001657B0,00000000,01282378,?,?,001657B0,?,0012B5A8,?,?), ref: 0012B712
                                                                  • EnableWindow.USER32(00000000,00000000), ref: 0012B736
                                                                  • ShowWindow.USER32(001657B0,00000000,01282378,?,?,001657B0,?,0012B5A8,?,?), ref: 0012B796
                                                                  • ShowWindow.USER32(00000000,00000004,?,0012B5A8,?,?), ref: 0012B7A8
                                                                  • EnableWindow.USER32(00000000,00000001), ref: 0012B7CC
                                                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0012B7EF
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                  • String ID:
                                                                  • API String ID: 642888154-0
                                                                  • Opcode ID: f448e1c166defc454f03e9fa80174945736fb4f0bfd18e25f368e5a6a1eb7cd3
                                                                  • Instruction ID: 7f52654769e19426672b19a408e62bdbc8791e1f2377878e872b1397a495830d
                                                                  • Opcode Fuzzy Hash: f448e1c166defc454f03e9fa80174945736fb4f0bfd18e25f368e5a6a1eb7cd3
                                                                  • Instruction Fuzzy Hash: C9417F34609251AFDB26CF24E4DAB957BF1FF45310F1841B9E9488F6E2C731A8A6CB50
                                                                  Function 0011709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,00114E41,?,?,00000000,00000001), ref: 001170AC
                                                                    • Part of subcall function 001139A0: GetWindowRect.USER32(?,?), ref: 001139B3
                                                                  • GetDesktopWindow.USER32 ref: 001170D6
                                                                  • GetWindowRect.USER32(00000000), ref: 001170DD
                                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0011710F
                                                                    • Part of subcall function 00105244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001052BC
                                                                  • GetCursorPos.USER32(?), ref: 0011713B
                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00117199
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                  • String ID:
                                                                  • API String ID: 4137160315-0
                                                                  • Opcode ID: 23623dcc323d677bced6f8ef722a9062147e12513755d5453645215267798c86
                                                                  • Instruction ID: 43a7332682c17a49690d78732af7733b1787da4f4e6b4372ba9d0376a6f65121
                                                                  • Opcode Fuzzy Hash: 23623dcc323d677bced6f8ef722a9062147e12513755d5453645215267798c86
                                                                  • Instruction Fuzzy Hash: 0831B072509305ABD724DF14C849F9BBBBAFF88314F000929F58597291CB74EA5ACB92
                                                                  Function 0010EB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                                    • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                                    • Part of subcall function 000BFC86: _wcscpy.LIBCMT ref: 000BFCA9
                                                                  • _wcstok.LIBCMT ref: 0010EC94
                                                                  • _wcscpy.LIBCMT ref: 0010ED23
                                                                  • _memset.LIBCMT ref: 0010ED56
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                  • String ID: X
                                                                  • API String ID: 774024439-3081909835
                                                                  • Opcode ID: aeecd8595ade94ab43c76fe68916c1abd4a61a4e1da19ed129e7915f819de19b
                                                                  • Instruction ID: e04997377edce158da001523b6a927c72d7bd449e572eabcf21c0b579ce342cc
                                                                  • Opcode Fuzzy Hash: aeecd8595ade94ab43c76fe68916c1abd4a61a4e1da19ed129e7915f819de19b
                                                                  • Instruction Fuzzy Hash: DBC15D716087059FC714EF64C985AAAB7E4FF86310F04492DF8999B2A2DB70EC45CB92
                                                                  Function 000F8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000F80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000F80C0
                                                                    • Part of subcall function 000F80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000F80CA
                                                                    • Part of subcall function 000F80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000F80D9
                                                                    • Part of subcall function 000F80A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 000F80E0
                                                                    • Part of subcall function 000F80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000F80F6
                                                                  • GetLengthSid.ADVAPI32(?,00000000,000F842F), ref: 000F88CA
                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 000F88D6
                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 000F88DD
                                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 000F88F6
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,000F842F), ref: 000F890A
                                                                  • HeapFree.KERNEL32(00000000), ref: 000F8911
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                                                  • String ID:
                                                                  • API String ID: 169236558-0
                                                                  • Opcode ID: 741b475290f50edbb0a127dfe41247f4262289a3f15173a9e4a5c0a0f01e09fa
                                                                  • Instruction ID: 31a7a08123cd241d846891e300089759ee9423c94add5c12e5795a69c8d6c832
                                                                  • Opcode Fuzzy Hash: 741b475290f50edbb0a127dfe41247f4262289a3f15173a9e4a5c0a0f01e09fa
                                                                  • Instruction Fuzzy Hash: C911AC31601209FFDB649FA4DC0ABFE7BB9EB45311F54802CE98597610CB729962EB60
                                                                  Function 000FB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 000FB7B5
                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 000FB7C6
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000FB7CD
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 000FB7D5
                                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 000FB7EC
                                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 000FB7FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDevice$Release
                                                                  • String ID:
                                                                  • API String ID: 1035833867-0
                                                                  • Opcode ID: e9a948367a524604812b2ca2a7237429d58973cee84681639e5816762d88c855
                                                                  • Instruction ID: afeb444c5a4fb7c7e2eac4f3b6115399ea671d6d9bb11b22cdc995e7e7bb7bb9
                                                                  • Opcode Fuzzy Hash: e9a948367a524604812b2ca2a7237429d58973cee84681639e5816762d88c855
                                                                  • Instruction Fuzzy Hash: 24018475E00309BBEB10ABA6DD45E5EBFB8EB48311F004079FA08A7691D6309C11CF91
                                                                  Function 000C0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 000C0193
                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 000C019B
                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 000C01A6
                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 000C01B1
                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 000C01B9
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 000C01C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual
                                                                  • String ID:
                                                                  • API String ID: 4278518827-0
                                                                  • Opcode ID: d1b52384855e322065998515d744a4f094e4d303004c40fbc4a5d49e4a0f232e
                                                                  • Instruction ID: 1a06bd8f1c17f050b0c0215311757ee313187ecc155d4325525a2692e4f7d128
                                                                  • Opcode Fuzzy Hash: d1b52384855e322065998515d744a4f094e4d303004c40fbc4a5d49e4a0f232e
                                                                  • Instruction Fuzzy Hash: A30148B09027597DE3008F5A8C85A52FEA8FF19354F00411BA15847941C7B5A868CBE5
                                                                  Function 001053E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001053F9
                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0010540F
                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 0010541E
                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0010542D
                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00105437
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0010543E
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                  • String ID:
                                                                  • API String ID: 839392675-0
                                                                  • Opcode ID: b02af3aaa5b31c3635a8d92ce3a851225f35dd958b75140c669b6e6304988b7b
                                                                  • Instruction ID: 4a07d83e39f3745a0d8f07b1d0429894d887b32e3fa00374710d2181eb7ae576
                                                                  • Opcode Fuzzy Hash: b02af3aaa5b31c3635a8d92ce3a851225f35dd958b75140c669b6e6304988b7b
                                                                  • Instruction Fuzzy Hash: A1F06231140158BBD7315B529C0DEEB7A7CEBC6B11F00017DF904D145097A01A6386B5
                                                                  Function 00107230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 00107243
                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 00107254
                                                                  • TerminateThread.KERNEL32(00000000,000001F6,?,000B0EE4,?,?), ref: 00107261
                                                                  • WaitForSingleObject.KERNEL32(00000000,000003E8,?,000B0EE4,?,?), ref: 0010726E
                                                                    • Part of subcall function 00106C35: CloseHandle.KERNEL32(00000000,?,0010727B,?,000B0EE4,?,?), ref: 00106C3F
                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00107281
                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 00107288
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                  • String ID:
                                                                  • API String ID: 3495660284-0
                                                                  • Opcode ID: b3b1403dfcaee5680940be5a90fd7ae09656c9b5cc58b3aad15e3cdc2e5204e4
                                                                  • Instruction ID: e747b9f66e762fa5d23930659743e1fc0c7c0e22824c155668662e7adfcb968d
                                                                  • Opcode Fuzzy Hash: b3b1403dfcaee5680940be5a90fd7ae09656c9b5cc58b3aad15e3cdc2e5204e4
                                                                  • Instruction Fuzzy Hash: 18F0BE36841212FFE7611B24EE4C9EA3739EF06302F000139F103904E0CBB698A3CB50
                                                                  Function 001185ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 00118613
                                                                  • CharUpperBuffW.USER32(?,?), ref: 00118722
                                                                  • VariantClear.OLEAUT32(?), ref: 0011889A
                                                                    • Part of subcall function 00107562: VariantInit.OLEAUT32(00000000), ref: 001075A2
                                                                    • Part of subcall function 00107562: VariantCopy.OLEAUT32(00000000,?), ref: 001075AB
                                                                    • Part of subcall function 00107562: VariantClear.OLEAUT32(00000000), ref: 001075B7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                  • API String ID: 4237274167-1221869570
                                                                  • Opcode ID: d038dc1ded0d1074642d97550a4c1b1743faf8c83a819ddff85d4448a074a45c
                                                                  • Instruction ID: e35dc6d85650ab79f681dee9ff7cb515d350f6f1c39ec0eadfba6eaf14fe5b72
                                                                  • Opcode Fuzzy Hash: d038dc1ded0d1074642d97550a4c1b1743faf8c83a819ddff85d4448a074a45c
                                                                  • Instruction Fuzzy Hash: 1C917C706043019FC714DF64C48599BB7E4EF89714F14892EF89A9B3A2DB30E946CB52
                                                                  Function 00102A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000BFC86: _wcscpy.LIBCMT ref: 000BFCA9
                                                                  • _memset.LIBCMT ref: 00102B87
                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00102BB6
                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00102C69
                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00102C97
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                  • String ID: 0
                                                                  • API String ID: 4152858687-4108050209
                                                                  • Opcode ID: 31b4a43e6297573ccd86889cf27cadb0eec2460575e860668dc6f977a78700e7
                                                                  • Instruction ID: 33968f0c0a090f3f6830dbd9249c8551445835ce4a2aa5bdf7713d8d92f22257
                                                                  • Opcode Fuzzy Hash: 31b4a43e6297573ccd86889cf27cadb0eec2460575e860668dc6f977a78700e7
                                                                  • Instruction Fuzzy Hash: D751BD716083019AE7249F28CA49AAFBBE8EF59314F144A2DF8D5D71D1DBB0CD44CB52
                                                                  Function 000FD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 000FD5D4
                                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000FD60A
                                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000FD61B
                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000FD69D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                                  • String ID: DllGetClassObject
                                                                  • API String ID: 753597075-1075368562
                                                                  • Opcode ID: a5c9ae4318f450fecc93b0e843219601059db54a2ca4c940c603d1a06e8003ab
                                                                  • Instruction ID: 79e60368fcb47589dc3fbf97a4d2a615f09d1455499f24dcd752dcc7cd4edffc
                                                                  • Opcode Fuzzy Hash: a5c9ae4318f450fecc93b0e843219601059db54a2ca4c940c603d1a06e8003ab
                                                                  • Instruction Fuzzy Hash: F34181B1600208EFDB15DF54C884AAA7BBAEF44310F1581AEEE09DF605D7B1DD44EBA0
                                                                  Function 00102753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 001027C0
                                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001027DC
                                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 00102822
                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00165890,00000000), ref: 0010286B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Delete$InfoItem_memset
                                                                  • String ID: 0
                                                                  • API String ID: 1173514356-4108050209
                                                                  • Opcode ID: 7868e5f6653cc579663e16fc23c43c5d1e0f7c180b2cb4b71c7a4fbc78e7a20c
                                                                  • Instruction ID: 85c180c5cf094e0218fb660359e08d1f952e760b5c1a3979c41b20bc8365d346
                                                                  • Opcode Fuzzy Hash: 7868e5f6653cc579663e16fc23c43c5d1e0f7c180b2cb4b71c7a4fbc78e7a20c
                                                                  • Instruction Fuzzy Hash: F641B1752043419FD724DF24CC48B5ABBE8EF95314F148A2EF9A5972D2DBB0E805CB52
                                                                  Function 0011D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0011D7C5
                                                                    • Part of subcall function 000A784B: _memmove.LIBCMT ref: 000A7899
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharLower_memmove
                                                                  • String ID: cdecl$none$stdcall$winapi
                                                                  • API String ID: 3425801089-567219261
                                                                  • Opcode ID: dbd68215348b7e7e1e84c5f39bf0cb305d6880ccd671703d2a9695d127bb6294
                                                                  • Instruction ID: 7f1363832bd045222b916a9a7d595805631421bc0c5d8fd2fb6d9d611f83ae6f
                                                                  • Opcode Fuzzy Hash: dbd68215348b7e7e1e84c5f39bf0cb305d6880ccd671703d2a9695d127bb6294
                                                                  • Instruction Fuzzy Hash: 9A318F71904619EBCF04EFA8DC519FEB3B5FF05320B108629E875AB6D2DB71A945CB80
                                                                  Function 000F8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                    • Part of subcall function 000FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000FAABC
                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000F8F14
                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000F8F27
                                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 000F8F57
                                                                    • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$_memmove$ClassName
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 365058703-1403004172
                                                                  • Opcode ID: 607ed292585b04ae540386dc1b30a46e1b0a10b7350b2bff90b8e8dc140bc562
                                                                  • Instruction ID: 94981dfdc0f4665a13daa8422f05379695c76501e5dc9d8b409bb2e5389d92bb
                                                                  • Opcode Fuzzy Hash: 607ed292585b04ae540386dc1b30a46e1b0a10b7350b2bff90b8e8dc140bc562
                                                                  • Instruction Fuzzy Hash: CF21D571A04108BEDB14ABA09C45DFFB779DF06320F148529F925975E2DB39484EE610
                                                                  Function 0011182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0011184C
                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00111872
                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001118A2
                                                                  • InternetCloseHandle.WININET(00000000), ref: 001118E9
                                                                    • Part of subcall function 00112483: GetLastError.KERNEL32(?,?,00111817,00000000,00000000,00000001), ref: 00112498
                                                                    • Part of subcall function 00112483: SetEvent.KERNEL32(?,?,00111817,00000000,00000000,00000001), ref: 001124AD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                  • String ID:
                                                                  • API String ID: 3113390036-3916222277
                                                                  • Opcode ID: 8b16ddf900753d1b225e1c950d3afcec303ac2928c86fc701ce95ddea58fd8c5
                                                                  • Instruction ID: 9cd8e3efea9d4f72a82be035dcb74264515311d3fa1514b2d2c322b52bd6d1f0
                                                                  • Opcode Fuzzy Hash: 8b16ddf900753d1b225e1c950d3afcec303ac2928c86fc701ce95ddea58fd8c5
                                                                  • Instruction Fuzzy Hash: FD21AFB1500208BFEB159F648C85EFFB6ADEB48744F10813AF50592540DB308D9697A1
                                                                  Function 001263E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000A1D73
                                                                    • Part of subcall function 000A1D35: GetStockObject.GDI32(00000011), ref: 000A1D87
                                                                    • Part of subcall function 000A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000A1D91
                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00126461
                                                                  • LoadLibraryW.KERNEL32(?), ref: 00126468
                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0012647D
                                                                  • DestroyWindow.USER32(?), ref: 00126485
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                  • String ID: SysAnimate32
                                                                  • API String ID: 4146253029-1011021900
                                                                  • Opcode ID: bf47d83917a418ac64185af4bbed65781e756637161932b6f5f9f09694b48aab
                                                                  • Instruction ID: 94d5dc795c1e1ccf23de66ba9e55ed91309c1da6a33acec5dacd78a7902e56b6
                                                                  • Opcode Fuzzy Hash: bf47d83917a418ac64185af4bbed65781e756637161932b6f5f9f09694b48aab
                                                                  • Instruction Fuzzy Hash: 8F219D71200265BFEF10AFA4EC80EBB37ADEF59324F104629FA90960D0D771DCA29760
                                                                  Function 00106D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00106DBC
                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00106DEF
                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00106E01
                                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00106E3B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHandle$FilePipe
                                                                  • String ID: nul
                                                                  • API String ID: 4209266947-2873401336
                                                                  • Opcode ID: fe27c3bfe8db13787883e59fab037dda0b4e93fd7332b629e715983125dcf8dc
                                                                  • Instruction ID: f71bd04fe490c51810f56a6b7eb2d4f4088c83d6ca2bd7444e5b57e9a1524a0b
                                                                  • Opcode Fuzzy Hash: fe27c3bfe8db13787883e59fab037dda0b4e93fd7332b629e715983125dcf8dc
                                                                  • Instruction Fuzzy Hash: B621907460030AAFDB209F69DC05A9A7BF4EF55720F204A29FCE0D72D0DBB099718B50
                                                                  Function 00106E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00106E89
                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00106EBB
                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00106ECC
                                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00106F06
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHandle$FilePipe
                                                                  • String ID: nul
                                                                  • API String ID: 4209266947-2873401336
                                                                  • Opcode ID: 57d244449a2651e7508761f6bff07c74f75f1c11bcd04631ab7abdb98372037e
                                                                  • Instruction ID: 0e4ce0f3a493d17dfd16d581d060d7567ce444ba7a8be9fbda8bbc0235891d5c
                                                                  • Opcode Fuzzy Hash: 57d244449a2651e7508761f6bff07c74f75f1c11bcd04631ab7abdb98372037e
                                                                  • Instruction Fuzzy Hash: 1B216079500305ABDB20DF69DC04A9A77A8AF55720F200A29FCE1D72D0D7B0A9618B60
                                                                  Function 0010AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0010AC54
                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0010ACA8
                                                                  • __swprintf.LIBCMT ref: 0010ACC1
                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,0012F910), ref: 0010ACFF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                                  • String ID: %lu
                                                                  • API String ID: 3164766367-685833217
                                                                  • Opcode ID: 30cd65193fdd6f7dd91757c0305682dd38715295b702376ebf4175642381b537
                                                                  • Instruction ID: 03a6909285418a010dee188f81541198d6d591baef0b15ac5a98d6f7aeace3d2
                                                                  • Opcode Fuzzy Hash: 30cd65193fdd6f7dd91757c0305682dd38715295b702376ebf4175642381b537
                                                                  • Instruction Fuzzy Hash: 5C214130A00209AFCB10DFA5C945EEE7BB8EF49714F004069F909AB252DB71EA56CB61
                                                                  Function 00101AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?), ref: 00101B19
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper
                                                                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                  • API String ID: 3964851224-769500911
                                                                  • Opcode ID: 8c977e3fbc6e545674dfad2d66e981fcbf7e2357e334dc0b7958ab410ad1aeb2
                                                                  • Instruction ID: d8e31b3f31197f62d504879b28db81ae8aa8b393cca4309cab159e46c0823af5
                                                                  • Opcode Fuzzy Hash: 8c977e3fbc6e545674dfad2d66e981fcbf7e2357e334dc0b7958ab410ad1aeb2
                                                                  • Instruction Fuzzy Hash: 2E115E30910208DFCF00EF94D9519EEB7B4FF2A308B108869D864AB692EB365D1ACB50
                                                                  Function 0011EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0011EC07
                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0011EC37
                                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0011ED6A
                                                                  • CloseHandle.KERNEL32(?), ref: 0011EDEB
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                  • String ID:
                                                                  • API String ID: 2364364464-0
                                                                  • Opcode ID: b31aec71b2b15e4bc0f908f1a699784bfd8c07456baf9d04307367aa6ba68944
                                                                  • Instruction ID: d71a8867d86e793ec2e9f52578a852100c5164f5bab829225febc9e1e1d7e90f
                                                                  • Opcode Fuzzy Hash: b31aec71b2b15e4bc0f908f1a699784bfd8c07456baf9d04307367aa6ba68944
                                                                  • Instruction Fuzzy Hash: 6681A371604300AFD724EF68C846FAAB7E5AF45710F04882DF999DB2D2DB75AC41CB52
                                                                  Function 00120037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                    • Part of subcall function 00120E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011FDAD,?,?), ref: 00120E31
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001200FD
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0012013C
                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00120183
                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 001201AF
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 001201BC
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                  • String ID:
                                                                  • API String ID: 3440857362-0
                                                                  • Opcode ID: 4bf6e53552255ba0dbcc176b5f0502c8e7158d0781e68b4978c31b4c87adfbd6
                                                                  • Instruction ID: 26c04632f3f2da6c9b5c1deecc731b519d8c61b2218c4dafba839035e5e3bfad
                                                                  • Opcode Fuzzy Hash: 4bf6e53552255ba0dbcc176b5f0502c8e7158d0781e68b4978c31b4c87adfbd6
                                                                  • Instruction Fuzzy Hash: 09517C71208204AFC715EF54DC81EABB7E9FF88304F00892DF5958B2A2DB31E965CB52
                                                                  Function 0011D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                                    • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                                  • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0011D927
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0011D9AA
                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0011D9C6
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0011DA07
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0011DA21
                                                                    • Part of subcall function 000A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00107896,?,?,00000000), ref: 000A5A2C
                                                                    • Part of subcall function 000A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00107896,?,?,00000000,?,?), ref: 000A5A50
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 327935632-0
                                                                  • Opcode ID: ba858dbbc23ff0d22a9faea5e92abc7498c790378f4fce3a1101d86ea38ef56f
                                                                  • Instruction ID: 0a10426d2e0abcf71ffb8da77764d00cc612597298879967dd75f89cc8211d92
                                                                  • Opcode Fuzzy Hash: ba858dbbc23ff0d22a9faea5e92abc7498c790378f4fce3a1101d86ea38ef56f
                                                                  • Instruction Fuzzy Hash: 83513935A04609EFCB04EFA8D4849EEB7F4FF19314B458069E815AB312DB31AD86CF91
                                                                  Function 0010E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0010E61F
                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0010E648
                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0010E687
                                                                    • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                                    • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0010E6AC
                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0010E6B4
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 1389676194-0
                                                                  • Opcode ID: edf231ef8e9bbcd570328d6ca37cd62ddc32ac0b7856225f87d13ce320cb0c22
                                                                  • Instruction ID: d0f9321ccdb2de54204e59e8057fb51b2967d20ac68cf5c4ba2df62e1c9b28e5
                                                                  • Opcode Fuzzy Hash: edf231ef8e9bbcd570328d6ca37cd62ddc32ac0b7856225f87d13ce320cb0c22
                                                                  • Instruction Fuzzy Hash: EF510E35A00105DFCB01EFA5D981AAEBBF5EF0A314F1484A9E849AB362CB35ED51DF50
                                                                  Function 0012A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9085dbe3cbe00860287127646d2a3a4fec7e1311e06e43cb127288bcb9b17a5a
                                                                  • Instruction ID: ec3fc921e9bc4a53f31de47245e46512fa5de9a4d80a26a7ca859492bb7825b4
                                                                  • Opcode Fuzzy Hash: 9085dbe3cbe00860287127646d2a3a4fec7e1311e06e43cb127288bcb9b17a5a
                                                                  • Instruction Fuzzy Hash: F0412735904124BFC724DF28EC48FA9BBB8EF09320F950165F915A72E1C730AD71DA91
                                                                  Function 000A2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 000A2357
                                                                  • ScreenToClient.USER32(001657B0,?), ref: 000A2374
                                                                  • GetAsyncKeyState.USER32(00000001), ref: 000A2399
                                                                  • GetAsyncKeyState.USER32(00000002), ref: 000A23A7
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                  • String ID:
                                                                  • API String ID: 4210589936-0
                                                                  • Opcode ID: 3dd6f6a55306c4afaad9216820a60edf60669fa08b63546114fd68916940fb2a
                                                                  • Instruction ID: c5294e23753c264738da1be00761117ed317d8a7ff1e42a0544248f1bfd912de
                                                                  • Opcode Fuzzy Hash: 3dd6f6a55306c4afaad9216820a60edf60669fa08b63546114fd68916940fb2a
                                                                  • Instruction Fuzzy Hash: 4F415435504215FFDF259FA8C844AEDBBB5FB06360F20436AF82592290C7346E94DFA1
                                                                  Function 000F63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000F63E7
                                                                  • TranslateAcceleratorW.USER32(?,?,?), ref: 000F6433
                                                                  • TranslateMessage.USER32(?), ref: 000F645C
                                                                  • DispatchMessageW.USER32(?), ref: 000F6466
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000F6475
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                  • String ID:
                                                                  • API String ID: 2108273632-0
                                                                  • Opcode ID: 54e26cb1337b523acd33509741141718457639627dc1aee297d1df7970ba6555
                                                                  • Instruction ID: aaae99e827d69aacfd5394c01c39827e39931bd50744035f6e8bc42e81cccf0b
                                                                  • Opcode Fuzzy Hash: 54e26cb1337b523acd33509741141718457639627dc1aee297d1df7970ba6555
                                                                  • Instruction Fuzzy Hash: E331927190064AAFDBA4DFB0DC44BB67BF9AB01300F540179E621C3DA1E766A499F760
                                                                  Function 000F8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 000F8A30
                                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 000F8ADA
                                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 000F8AE2
                                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 000F8AF0
                                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 000F8AF8
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePostSleep$RectWindow
                                                                  • String ID:
                                                                  • API String ID: 3382505437-0
                                                                  • Opcode ID: 9fe2fa0dee3d7ed80995b679cb246d26e85f01ac10b201d8ae6662849677d50e
                                                                  • Instruction ID: 68dd13a0cf6c3d6e2e56258d513238cffb0da2ebfdb71621de0082f2f84c8090
                                                                  • Opcode Fuzzy Hash: 9fe2fa0dee3d7ed80995b679cb246d26e85f01ac10b201d8ae6662849677d50e
                                                                  • Instruction Fuzzy Hash: 6331E27150021DEBEF14CF68DD4CAEE3BB5EB04315F108229FA24E66D0C7B09961DB91
                                                                  Function 000FB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindowVisible.USER32(?), ref: 000FB204
                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000FB221
                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000FB259
                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000FB27F
                                                                  • _wcsstr.LIBCMT ref: 000FB289
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                  • String ID:
                                                                  • API String ID: 3902887630-0
                                                                  • Opcode ID: a91a0329848214e5be5f2f9acf8480a604c7c3e2c4d937374f7164c90f9fcfdd
                                                                  • Instruction ID: 3e60cb80154b663b69d1e877a765b86ebd8828829f82baf38af7f0cfce3d938b
                                                                  • Opcode Fuzzy Hash: a91a0329848214e5be5f2f9acf8480a604c7c3e2c4d937374f7164c90f9fcfdd
                                                                  • Instruction Fuzzy Hash: 24213731204204BBEB655B79DC09E7F7BACDF49710F00803DF904CA5A1EF61DC41AA60
                                                                  Function 0012B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A2612: GetWindowLongW.USER32(?,000000EB), ref: 000A2623
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0012B192
                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0012B1B7
                                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0012B1CF
                                                                  • GetSystemMetrics.USER32(00000004), ref: 0012B1F8
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00110E90,00000000), ref: 0012B216
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long$MetricsSystem
                                                                  • String ID:
                                                                  • API String ID: 2294984445-0
                                                                  • Opcode ID: d723ed2ada6aba687f6151bed74e39b19528f894e953f36aba62b50e71732c82
                                                                  • Instruction ID: 4fed336422c2b3c63f52d9792b7e582701b5d68a32f8f2f258f57ac07bcd10f1
                                                                  • Opcode Fuzzy Hash: d723ed2ada6aba687f6151bed74e39b19528f894e953f36aba62b50e71732c82
                                                                  • Instruction Fuzzy Hash: F0219171918262EFCB249F38AC84A6A37A5FB05721F114738F932D75E0D73098719B90
                                                                  Function 000F9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000F9320
                                                                    • Part of subcall function 000A7BCC: _memmove.LIBCMT ref: 000A7C06
                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000F9352
                                                                  • __itow.LIBCMT ref: 000F936A
                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000F9392
                                                                  • __itow.LIBCMT ref: 000F93A3
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$__itow$_memmove
                                                                  • String ID:
                                                                  • API String ID: 2983881199-0
                                                                  • Opcode ID: 39493c064f17b7de89911c4e8eb9149ad097e3165ced734ffd531264e4b9abba
                                                                  • Instruction ID: 3ca6b6977296494ccf2f8bf35a091b9198ade396c0d6447c768fa39779bcabe9
                                                                  • Opcode Fuzzy Hash: 39493c064f17b7de89911c4e8eb9149ad097e3165ced734ffd531264e4b9abba
                                                                  • Instruction Fuzzy Hash: 3021DA3170020CBBDB219BA49C85FFE7BA9EB49710F044029FE05E71D2D6708E559791
                                                                  Function 00115A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindow.USER32(00000000), ref: 00115A6E
                                                                  • GetForegroundWindow.USER32 ref: 00115A85
                                                                  • GetDC.USER32(00000000), ref: 00115AC1
                                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 00115ACD
                                                                  • ReleaseDC.USER32(00000000,00000003), ref: 00115B08
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ForegroundPixelRelease
                                                                  • String ID:
                                                                  • API String ID: 4156661090-0
                                                                  • Opcode ID: 371a594e8cd1687b52d14316bea4be640cbfd5e0f330dd45abafa5a90180121d
                                                                  • Instruction ID: 18e3f90a49e763ecff6eec7525e016a6559b38484b9b36f1fca1068ddb738875
                                                                  • Opcode Fuzzy Hash: 371a594e8cd1687b52d14316bea4be640cbfd5e0f330dd45abafa5a90180121d
                                                                  • Instruction Fuzzy Hash: C021A135A00104AFDB14EFA4DD85AAABBF5EF48310F14807DF84997762CB70AC42CB90
                                                                  Function 000A12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000A134D
                                                                  • SelectObject.GDI32(?,00000000), ref: 000A135C
                                                                  • BeginPath.GDI32(?), ref: 000A1373
                                                                  • SelectObject.GDI32(?,00000000), ref: 000A139C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                  • String ID:
                                                                  • API String ID: 3225163088-0
                                                                  • Opcode ID: 4aca10bf056b5c667c4ffca2c2f24162edc1cef0350e50b54418f9551b16e7e2
                                                                  • Instruction ID: c65f45b023ee43f8a225581945a0c65bf6a51fb038245ff46e05bc4dc4cf7995
                                                                  • Opcode Fuzzy Hash: 4aca10bf056b5c667c4ffca2c2f24162edc1cef0350e50b54418f9551b16e7e2
                                                                  • Instruction Fuzzy Hash: 26214C31800618EBDF218F66DC047AD7BEEEB01361F14822AF85097DA0D3B199E2DB90
                                                                  Function 000FBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memcmp
                                                                  • String ID:
                                                                  • API String ID: 2931989736-0
                                                                  • Opcode ID: f4ac0cfcb812be0786b2f375cb3943de61000ea6483376e136d76ddcb89bf495
                                                                  • Instruction ID: f959591c94337606c6956d3370b3233be8fc87bec28a06f90c44911a4d68ea5f
                                                                  • Opcode Fuzzy Hash: f4ac0cfcb812be0786b2f375cb3943de61000ea6483376e136d76ddcb89bf495
                                                                  • Instruction Fuzzy Hash: 040180B160010D7AE2186B11AD42FFFB79CDF51798F044025FE0996683FB60DE10AAE1
                                                                  Function 00104A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00104ABA
                                                                  • __beginthreadex.LIBCMT ref: 00104AD8
                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00104AED
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00104B03
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00104B0A
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                  • String ID:
                                                                  • API String ID: 3824534824-0
                                                                  • Opcode ID: a9cf98bfd02f81b63dec822434497030e1d2874f931d97baa346980a83c81fb5
                                                                  • Instruction ID: e280275f7c5869207423e7ee6332076cec56f39932c9acfed01bfe89266fb9c3
                                                                  • Opcode Fuzzy Hash: a9cf98bfd02f81b63dec822434497030e1d2874f931d97baa346980a83c81fb5
                                                                  • Instruction Fuzzy Hash: F71104B6904208FBC7109FA8EC48A9B7FADEB45324F14426DF914D36A0D7B1C99187A0
                                                                  Function 000F8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000F821E
                                                                  • GetLastError.KERNEL32(?,000F7CE2,?,?,?), ref: 000F8228
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,000F7CE2,?,?,?), ref: 000F8237
                                                                  • RtlAllocateHeap.NTDLL(00000000,?,000F7CE2), ref: 000F823E
                                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000F8255
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 883493501-0
                                                                  • Opcode ID: d0dfcdf4924756b42b82ba34770c014c58ef3bb91a66ed9285ce888ab550ee7e
                                                                  • Instruction ID: 85ebdff3ccc129c06f61a57883cadd79f9ea3e06ea72cc54d3ecc5c1d5033200
                                                                  • Opcode Fuzzy Hash: d0dfcdf4924756b42b82ba34770c014c58ef3bb91a66ed9285ce888ab550ee7e
                                                                  • Instruction Fuzzy Hash: 64016D71600208BFDB604FA5DC48DAB7BBCEF8A754B50443DF909C2620EB319C62DB60
                                                                  Function 000F710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CLSIDFromProgID.COMBASE ref: 000F7127
                                                                  • ProgIDFromCLSID.COMBASE(?,00000000), ref: 000F7142
                                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,000F7044,80070057,?,?), ref: 000F7150
                                                                  • CoTaskMemFree.COMBASE(00000000), ref: 000F7160
                                                                  • CLSIDFromString.COMBASE(?,?), ref: 000F716C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 3897988419-0
                                                                  • Opcode ID: 23341aabddf9830115e22fd1e2ca54af647649b0ced7da2c4c2823c02041571d
                                                                  • Instruction ID: 636307e2dda0fae041ffbd6beb507f5011f797212be6f5ea22021dd3f6f4ee3b
                                                                  • Opcode Fuzzy Hash: 23341aabddf9830115e22fd1e2ca54af647649b0ced7da2c4c2823c02041571d
                                                                  • Instruction Fuzzy Hash: 98017176601208BBDB214F68DC44AAABBFDFB44751F140078FE08D2620D731DD56A7A0
                                                                  Function 00105244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00105260
                                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0010526E
                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00105276
                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00105280
                                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001052BC
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                  • String ID:
                                                                  • API String ID: 2833360925-0
                                                                  • Opcode ID: 7f14bec63c738f0ccaaef17a8334274e6c8d972c0ce686b346196a79fbc21f92
                                                                  • Instruction ID: 646e43166f6344a396aaa6911c3519802b6e17bb209929dc90bbf71cb023ef40
                                                                  • Opcode Fuzzy Hash: 7f14bec63c738f0ccaaef17a8334274e6c8d972c0ce686b346196a79fbc21f92
                                                                  • Instruction Fuzzy Hash: 81016D31D01A1DEBDF14EFE4D8485EEBB79FF0D711F41006AE981B2180CB7055A28BA1
                                                                  Function 000F810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000F8121
                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000F812B
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F813A
                                                                  • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 000F8141
                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F8157
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 47921759-0
                                                                  • Opcode ID: b278fed73b65d23432d45f177ff30da16e15d9e9ed6df6db8ef357cc11d03615
                                                                  • Instruction ID: 4b2104e3de35f9825df91156c593c34c527e3e604015bdee4b5b530f7524bd78
                                                                  • Opcode Fuzzy Hash: b278fed73b65d23432d45f177ff30da16e15d9e9ed6df6db8ef357cc11d03615
                                                                  • Instruction Fuzzy Hash: CAF03C75200308BFEB610FA5EC88EB73BADFF49B54F104139FA4586550DB6199A3EB60
                                                                  Function 000FC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 000FC1F7
                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 000FC20E
                                                                  • MessageBeep.USER32(00000000), ref: 000FC226
                                                                  • KillTimer.USER32(?,0000040A), ref: 000FC242
                                                                  • EndDialog.USER32(?,00000001), ref: 000FC25C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                  • String ID:
                                                                  • API String ID: 3741023627-0
                                                                  • Opcode ID: f2737ceacadc3054bffe78bd6f14e2707adfd0be56fac4e2c5405c20daa1ce41
                                                                  • Instruction ID: 8e219b5088cc85b6f3c208fec4fbda07a08c7cd5b21c39d1017e86d6c108b566
                                                                  • Opcode Fuzzy Hash: f2737ceacadc3054bffe78bd6f14e2707adfd0be56fac4e2c5405c20daa1ce41
                                                                  • Instruction Fuzzy Hash: 5501A73040430CABFB705B50DD4EFA677B8FB00B05F00026DA642A18E1D7E46999AB50
                                                                  Function 000A13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EndPath.GDI32(?), ref: 000A13BF
                                                                  • StrokeAndFillPath.GDI32(?,?,000DB888,00000000,?), ref: 000A13DB
                                                                  • SelectObject.GDI32(?,00000000), ref: 000A13EE
                                                                  • DeleteObject.GDI32 ref: 000A1401
                                                                  • StrokePath.GDI32(?), ref: 000A141C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                  • String ID:
                                                                  • API String ID: 2625713937-0
                                                                  • Opcode ID: e57e0a17d2bb639e686bee31ca88effa54634dba160bdeaca4b21f3e953541e0
                                                                  • Instruction ID: 1156f9639017afb9ab25d3fd27b1e81f053abdb47b92d524605136e976527cc7
                                                                  • Opcode Fuzzy Hash: e57e0a17d2bb639e686bee31ca88effa54634dba160bdeaca4b21f3e953541e0
                                                                  • Instruction Fuzzy Hash: B2F0CD31004708EBDB215F5AED4C7983BFAA742326F088228F4694ACF1C77545E6DF64
                                                                  Function 000F8992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 000F899D
                                                                  • CloseHandle.KERNEL32(?), ref: 000F89B2
                                                                  • CloseHandle.KERNEL32(?), ref: 000F89BA
                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 000F89C3
                                                                  • HeapFree.KERNEL32(00000000), ref: 000F89CA
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                                                  • String ID:
                                                                  • API String ID: 3751786701-0
                                                                  • Opcode ID: 86553a1cca88e7e70a92a1a9e9f1b151b65c01a2176ae956834462d8238219d3
                                                                  • Instruction ID: 129c9e61c23850acc3c6134c25fe883f0a1e285282e0a1748bbcadf2d71696ca
                                                                  • Opcode Fuzzy Hash: 86553a1cca88e7e70a92a1a9e9f1b151b65c01a2176ae956834462d8238219d3
                                                                  • Instruction Fuzzy Hash: 22E0C236004001FBDA115FE1ED0C91ABB79FB89322B508238F21981870CB3294B3DB50
                                                                  Function 000B2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000C0DB6: std::exception::exception.LIBCMT ref: 000C0DEC
                                                                    • Part of subcall function 000C0DB6: __CxxThrowException@8.LIBCMT ref: 000C0E01
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                    • Part of subcall function 000A7A51: _memmove.LIBCMT ref: 000A7AAB
                                                                  • __swprintf.LIBCMT ref: 000B2ECD
                                                                  Strings
                                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 000B2D66
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                  • API String ID: 1943609520-557222456
                                                                  • Opcode ID: 16eace386a4874600eb0f423fd93817a11447c8b3a7a9a3708b52f5bf6110627
                                                                  • Instruction ID: 7c6bd203a4e7aa5e00d57fd07cce8d118810023dc1013435339372c586587a82
                                                                  • Opcode Fuzzy Hash: 16eace386a4874600eb0f423fd93817a11447c8b3a7a9a3708b52f5bf6110627
                                                                  • Instruction Fuzzy Hash: 00915A71118201AFC714EF64D885DAFB7E8EF96750F00492DF496AB2A2EB31ED44CB52
                                                                  Function 0010B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A4743,?,?,000A37AE,?), ref: 000A4770
                                                                  • CoInitialize.OLE32(00000000), ref: 0010B9BB
                                                                  • CoCreateInstance.COMBASE(00132D6C,00000000,00000001,00132BDC,?), ref: 0010B9D4
                                                                  • CoUninitialize.COMBASE ref: 0010B9F1
                                                                    • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                                    • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                  • String ID: .lnk
                                                                  • API String ID: 2126378814-24824748
                                                                  • Opcode ID: 013d2fe76b977fb3779691d3ad1bffaf740f182d16c0be422e755ee86671560e
                                                                  • Instruction ID: 559d923255ad333980e77b6601d2c9d0f8b1ce933a88737ef29b2ffb9a8d689a
                                                                  • Opcode Fuzzy Hash: 013d2fe76b977fb3779691d3ad1bffaf740f182d16c0be422e755ee86671560e
                                                                  • Instruction Fuzzy Hash: E0A169756043059FCB10DF54C884D6ABBE5FF8A714F048998F8999B3A2CB71EC46CB91
                                                                  Function 000C501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __startOneArgErrorHandling.LIBCMT ref: 000C50AD
                                                                    • Part of subcall function 000D00F0: __87except.LIBCMT ref: 000D012B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorHandling__87except__start
                                                                  • String ID: pow
                                                                  • API String ID: 2905807303-2276729525
                                                                  • Opcode ID: 0ee3062bda46f5aa9d75059534ea896fd8796d20e91e6c7d6c13645e2b669aec
                                                                  • Instruction ID: c6de2ac65c9d846e3d4a353fb75da562c7722a262039b2fe46af38264b810aa2
                                                                  • Opcode Fuzzy Hash: 0ee3062bda46f5aa9d75059534ea896fd8796d20e91e6c7d6c13645e2b669aec
                                                                  • Instruction Fuzzy Hash: 7A519D6990970286DB617714CC057BE2BD0EB40301F348D5EF8D9C63EAEF349DC49A92
                                                                  Function 000F97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 001014BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000F9296,?,?,00000034,00000800,?,00000034), ref: 001014E6
                                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000F983F
                                                                    • Part of subcall function 00101487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000F92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 001014B1
                                                                    • Part of subcall function 001013DE: GetWindowThreadProcessId.USER32(?,?), ref: 00101409
                                                                    • Part of subcall function 001013DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000F925A,00000034,?,?,00001004,00000000,00000000), ref: 00101419
                                                                    • Part of subcall function 001013DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000F925A,00000034,?,?,00001004,00000000,00000000), ref: 0010142F
                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000F98AC
                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000F98F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                  • String ID: @
                                                                  • API String ID: 4150878124-2766056989
                                                                  • Opcode ID: 21bd46f3dc16262f9cd1407ec20a277ed79d3c384395f8ff0a9b170ce64733e8
                                                                  • Instruction ID: d7661338fd4a6d96589eae017b826d73ad4ec1abf02d7665ad380ac3ccbd5f94
                                                                  • Opcode Fuzzy Hash: 21bd46f3dc16262f9cd1407ec20a277ed79d3c384395f8ff0a9b170ce64733e8
                                                                  • Instruction Fuzzy Hash: 2C413D7690021CBEDB10DFA4CC81EEEBBB8EB19300F104199FA55B7191DB756E85DBA0
                                                                  Function 00127946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0012F910,00000000,?,?,?,?), ref: 001279DF
                                                                  • GetWindowLongW.USER32 ref: 001279FC
                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00127A0C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long
                                                                  • String ID: SysTreeView32
                                                                  • API String ID: 847901565-1698111956
                                                                  • Opcode ID: e966feae6a9a096a4771cbc8d91a87d4255deb1c9a7196f527fea109c03063ff
                                                                  • Instruction ID: 501895320c6581ff0a67383ebb3c361a02eba199e9d8ca606fee5b78cb4be1b5
                                                                  • Opcode Fuzzy Hash: e966feae6a9a096a4771cbc8d91a87d4255deb1c9a7196f527fea109c03063ff
                                                                  • Instruction Fuzzy Hash: 2031BC31204216AFDF118E38EC45BEB77A9EB09334F244729F875A32E0D730E9A18B50
                                                                  Function 001273D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00127461
                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00127475
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00127499
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window
                                                                  • String ID: SysMonthCal32
                                                                  • API String ID: 2326795674-1439706946
                                                                  • Opcode ID: b1023b1a5a28bf30708f3b05c972f2f15e65d811945c457dd055a09b38a4ae70
                                                                  • Instruction ID: e476b4e12b4b7fe951eb7c69325c529828489e4c62b72eaae7ac249e92175fe5
                                                                  • Opcode Fuzzy Hash: b1023b1a5a28bf30708f3b05c972f2f15e65d811945c457dd055a09b38a4ae70
                                                                  • Instruction Fuzzy Hash: F321E132500228BBDF159E54DC42FEB3B79EB48724F110114FE146B1D0DBB1ACA18BA0
                                                                  Function 00127B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00127C4A
                                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00127C58
                                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00127C5F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$DestroyWindow
                                                                  • String ID: msctls_updown32
                                                                  • API String ID: 4014797782-2298589950
                                                                  • Opcode ID: be947b13d4733109cf4ed7a13fa6d627b2951750db298ae70f086b86106c8069
                                                                  • Instruction ID: 786d5724ccb0f19b25c36ebf6ef5a71908f4bbe6847235aeefba113f615f5a9f
                                                                  • Opcode Fuzzy Hash: be947b13d4733109cf4ed7a13fa6d627b2951750db298ae70f086b86106c8069
                                                                  • Instruction Fuzzy Hash: E3218CB5604219AFDB10DF28ECC1DA737EDEF4A394B140059FA119B3A1CB71EC618BA0
                                                                  Function 00126CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00126D3B
                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00126D4B
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00126D70
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$MoveWindow
                                                                  • String ID: Listbox
                                                                  • API String ID: 3315199576-2633736733
                                                                  • Opcode ID: 9d58ecde636f3bbddfcaaebceb698fbb98910dfeb58577ff2b0b464b28c885e2
                                                                  • Instruction ID: afcfa60ae40a9f9b35e5f8974ccb2b14b0ddc1cfc3e0117f097377fe0a2991fa
                                                                  • Opcode Fuzzy Hash: 9d58ecde636f3bbddfcaaebceb698fbb98910dfeb58577ff2b0b464b28c885e2
                                                                  • Instruction Fuzzy Hash: EA219532600128BFDF159F54EC45FAB377AEF89750F018128F9555B1D0C7719C6187A0
                                                                  Function 0012770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00127772
                                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00127787
                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00127794
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: msctls_trackbar32
                                                                  • API String ID: 3850602802-1010561917
                                                                  • Opcode ID: 7f0eb4f1f024afef9b4a107f85a7fa3592929f20250406764765d40d2d78e23e
                                                                  • Instruction ID: 1a07e6771869172b0394c471ff3caa17e1418eb26b6c806ee721d5616cd77a6f
                                                                  • Opcode Fuzzy Hash: 7f0eb4f1f024afef9b4a107f85a7fa3592929f20250406764765d40d2d78e23e
                                                                  • Instruction Fuzzy Hash: 0A113672204208BFEF205FA0DC09FEB37A9EF89B54F010128FA41A60D0C372E861CB20
                                                                  Function 000A4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,000A4BD0,?,000A4DEF,?,001652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000A4C11
                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000A4C23
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                  • API String ID: 2574300362-3689287502
                                                                  • Opcode ID: 430622fa276ea811570029d9b33f62bcd0f068b779830a52292d087464766d72
                                                                  • Instruction ID: b3d4f9469460ef6c4e339a24e30c13084356ed00c3851589170f8671ade1db2b
                                                                  • Opcode Fuzzy Hash: 430622fa276ea811570029d9b33f62bcd0f068b779830a52292d087464766d72
                                                                  • Instruction Fuzzy Hash: 63D0C230510713DFC7206FB0D908247B6E5EF09352F008C3D9486C6550E7F0D4D2C610
                                                                  Function 000A4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,000A4B83,?), ref: 000A4C44
                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000A4C56
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                  • API String ID: 2574300362-1355242751
                                                                  • Opcode ID: c880924782afa3e887a27cf501583efc3eda02ed0b863b3d34a6b00918bcc04c
                                                                  • Instruction ID: dacc8859541f7abfb508f70808222ec91fdb9dab65e51da4516d45b5884bcfb7
                                                                  • Opcode Fuzzy Hash: c880924782afa3e887a27cf501583efc3eda02ed0b863b3d34a6b00918bcc04c
                                                                  • Instruction Fuzzy Hash: 6AD0C730610723DFC7208F71D90820A76E4AF06361F10883E98AACA560E7B0E8E1CA10
                                                                  Function 00120DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,00121039), ref: 00120DF5
                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00120E07
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                  • API String ID: 2574300362-4033151799
                                                                  • Opcode ID: d5dce1fa91e2f3997da6499f51942c4c5c2d41c838b1d636b9368aa1ba3a7e2b
                                                                  • Instruction ID: e3b08f1d2c29090ca8a84f8b135a68dc4bfdb99264d88659e59c5687c2c88b51
                                                                  • Opcode Fuzzy Hash: d5dce1fa91e2f3997da6499f51942c4c5c2d41c838b1d636b9368aa1ba3a7e2b
                                                                  • Instruction Fuzzy Hash: 5ED0C730420322DFC3218F70D808282B2E5AF08342F028C3E9892E6550E7B8D8F0CA00
                                                                  Function 001190E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00118CF4,?,0012F910), ref: 001190EE
                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00119100
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                                  • API String ID: 2574300362-199464113
                                                                  • Opcode ID: 0786d0265ab10e3d5cd531d728a762312715e511eaf1aa4cb573e7ba76c7fb7d
                                                                  • Instruction ID: cbe6ec54f37c9cda99518fc918a2342e4710135b31d4d4a9546ff62eec53a51b
                                                                  • Opcode Fuzzy Hash: 0786d0265ab10e3d5cd531d728a762312715e511eaf1aa4cb573e7ba76c7fb7d
                                                                  • Instruction Fuzzy Hash: 08D01234610713EFD7209F31D81964676E5AF05751F15883E94A5D6550E770C4D1C650
                                                                  Function 000E1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: LocalTime__swprintf
                                                                  • String ID: %.3d$WIN_XPe
                                                                  • API String ID: 2070861257-2409531811
                                                                  • Opcode ID: a56aa0432925878c06f5715e2a577fb6b65ddce5a548465b459833886f05020c
                                                                  • Instruction ID: 03da06eb54a1c87a4dd4a0d689ec7ec28740720f0d576e8a844790aab4facb10
                                                                  • Opcode Fuzzy Hash: a56aa0432925878c06f5715e2a577fb6b65ddce5a548465b459833886f05020c
                                                                  • Instruction Fuzzy Hash: F7D01771808298FECB249B929888DFD777CAB09B12F100462B842B2180E2318B95EA21
                                                                  Function 000F717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c2ac868932418840e78acecbc9c406e1841acb612bc60c6bc30543f07b2e0d7c
                                                                  • Instruction ID: e865276a11d6a3036f0600a55860f64cc5dcb6368407c77966da6e0b2e4d05cf
                                                                  • Opcode Fuzzy Hash: c2ac868932418840e78acecbc9c406e1841acb612bc60c6bc30543f07b2e0d7c
                                                                  • Instruction Fuzzy Hash: F7C15C74A0421AEFCB14CF94C884EAEBBF5FF48704B158598E909DB651D730ED81EB91
                                                                  Function 0011E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharLowerBuffW.USER32(?,?), ref: 0011E0BE
                                                                  • CharLowerBuffW.USER32(?,?), ref: 0011E101
                                                                    • Part of subcall function 0011D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0011D7C5
                                                                  • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0011E301
                                                                  • _memmove.LIBCMT ref: 0011E314
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharLower$AllocVirtual_memmove
                                                                  • String ID:
                                                                  • API String ID: 3659485706-0
                                                                  • Opcode ID: 814d24e3c68ec8f54e198571d424966e7ba93fe9fe693c97e126e9de4001fea7
                                                                  • Instruction ID: 32dfe66a9b7a822082defd2391d1d82cdbaa6214c9583afb886a3c06e93bc4bf
                                                                  • Opcode Fuzzy Hash: 814d24e3c68ec8f54e198571d424966e7ba93fe9fe693c97e126e9de4001fea7
                                                                  • Instruction Fuzzy Hash: D6C14A71608301DFC718DF68C490AAABBE4FF89714F14896EF8999B351D731E986CB81
                                                                  Function 00118093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32(00000000), ref: 001180C3
                                                                  • CoUninitialize.COMBASE ref: 001180CE
                                                                    • Part of subcall function 000FD56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 000FD5D4
                                                                  • VariantInit.OLEAUT32(?), ref: 001180D9
                                                                  • VariantClear.OLEAUT32(?), ref: 001183AA
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                  • String ID:
                                                                  • API String ID: 780911581-0
                                                                  • Opcode ID: b9ea7fb96732612b749c8657c23669da4a9087a0c21cf2c65990e0790261f378
                                                                  • Instruction ID: 6a256956206972293c98da77de09da7283d672f141bf4e5dba6c16dcfbb5ac31
                                                                  • Opcode Fuzzy Hash: b9ea7fb96732612b749c8657c23669da4a9087a0c21cf2c65990e0790261f378
                                                                  • Instruction Fuzzy Hash: 05A158757047019FCB14DF64C881BAAB7E4BF8A714F048468F9969B3A2CB34ED45CB92
                                                                  Function 000F7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ProgIDFromCLSID.COMBASE(?,00000000), ref: 000F76EA
                                                                  • CoTaskMemFree.COMBASE(00000000), ref: 000F7702
                                                                  • CLSIDFromProgID.COMBASE(?,?), ref: 000F7727
                                                                  • _memcmp.LIBCMT ref: 000F7748
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: FromProg$FreeTask_memcmp
                                                                  • String ID:
                                                                  • API String ID: 314563124-0
                                                                  • Opcode ID: 46f21da5580e5e0b24f23b25e6f3110073f421949e56228f882775402add9c7a
                                                                  • Instruction ID: cf5b9e0823a5303db3c4d61db5f336357883a9eda601ba20e28abfb7707d9d5a
                                                                  • Opcode Fuzzy Hash: 46f21da5580e5e0b24f23b25e6f3110073f421949e56228f882775402add9c7a
                                                                  • Instruction Fuzzy Hash: 96811B75A00209EFCB04DFA4C984EEEB7B9FF89315F204558E509EB250DB71AE06DB61
                                                                  Function 000F687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$AllocClearCopyInitString
                                                                  • String ID:
                                                                  • API String ID: 2808897238-0
                                                                  • Opcode ID: af6e95d7349eb1bb7df17539ff5f4c16c6fb0d335f39d182803065fce81b1969
                                                                  • Instruction ID: 164f4875327f51d5e4b52fe14e602af1bed40ec4e07a7f94c50dfbad43e9c416
                                                                  • Opcode Fuzzy Hash: af6e95d7349eb1bb7df17539ff5f4c16c6fb0d335f39d182803065fce81b1969
                                                                  • Instruction Fuzzy Hash: 5F51E874704309DACB24EFA5D491A7EB3E4AF45310F20C81FE686DBA92DB76D840EB11
                                                                  Function 001297F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(0128DDC0,?), ref: 00129863
                                                                  • ScreenToClient.USER32(00000002,00000002), ref: 00129896
                                                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00129903
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ClientMoveRectScreen
                                                                  • String ID:
                                                                  • API String ID: 3880355969-0
                                                                  • Opcode ID: 0e83234a3b93f7970089bf408861ab4be77c71145d08727dd3a4dd70ac1a1743
                                                                  • Instruction ID: 37f108c80f0ad4b7028c7009f04c8e0c0d409b9c88c412a4b0b6ad9e8cd04c6e
                                                                  • Opcode Fuzzy Hash: 0e83234a3b93f7970089bf408861ab4be77c71145d08727dd3a4dd70ac1a1743
                                                                  • Instruction Fuzzy Hash: 60517374A00219EFCF14CF58E880AAE7BB6FF45360F14816DF9559B2A0D731ADA1CB90
                                                                  Function 000F9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000F9AD2
                                                                  • __itow.LIBCMT ref: 000F9B03
                                                                    • Part of subcall function 000F9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 000F9DBE
                                                                  • SendMessageW.USER32(?,0000110A,00000001,?), ref: 000F9B6C
                                                                  • __itow.LIBCMT ref: 000F9BC3
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$__itow
                                                                  • String ID:
                                                                  • API String ID: 3379773720-0
                                                                  • Opcode ID: c807730f4acf88a4be0f393e22113e7b6373afd111f6334631536411949f8a49
                                                                  • Instruction ID: 8fe5a0e0d18599fe5a1e2b4f0676d3374ac9bbe648a75a53a81ec81b6fd6e359
                                                                  • Opcode Fuzzy Hash: c807730f4acf88a4be0f393e22113e7b6373afd111f6334631536411949f8a49
                                                                  • Instruction Fuzzy Hash: 7A417F70A0020CABDF25EF54D845BFE7BB9EF45760F004069BA09A6292DB709944DBA1
                                                                  Function 0010B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0010B89E
                                                                  • GetLastError.KERNEL32(?,00000000), ref: 0010B8C4
                                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0010B8E9
                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0010B915
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 3321077145-0
                                                                  • Opcode ID: 62626b5dfceb7a8e4bb75da38e4bef74c4174f7be0f3bbd3004d4a33c92eb170
                                                                  • Instruction ID: f258b2d5a6b6935925ca6ce006d127d3a19eb45ca0295965f2e3e2610c81f01d
                                                                  • Opcode Fuzzy Hash: 62626b5dfceb7a8e4bb75da38e4bef74c4174f7be0f3bbd3004d4a33c92eb170
                                                                  • Instruction Fuzzy Hash: A6410739700610DFCB10EF55C584A9ABBE1AF4A714F098098ED8A9F762CB74FD42CB91
                                                                  Function 00128851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001288DE
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: InvalidateRect
                                                                  • String ID:
                                                                  • API String ID: 634782764-0
                                                                  • Opcode ID: 8d9aa90a46d6a9eb2415f023ec2d2f3b402eb3f5623357192b9138cb834e5c4f
                                                                  • Instruction ID: 5b6e456a2e05735083576fd8663fedba42a674ef5e291ab605ba06f00d959c7f
                                                                  • Opcode Fuzzy Hash: 8d9aa90a46d6a9eb2415f023ec2d2f3b402eb3f5623357192b9138cb834e5c4f
                                                                  • Instruction Fuzzy Hash: 4431F434602128FFEF249A58EC45FB837A5EB49314F544116FA11E61A1CF70D9F1D752
                                                                  Function 0012AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ClientToScreen.USER32(?,?), ref: 0012AB60
                                                                  • GetWindowRect.USER32(?,?), ref: 0012ABD6
                                                                  • PtInRect.USER32(?,?,0012C014), ref: 0012ABE6
                                                                  • MessageBeep.USER32(00000000), ref: 0012AC57
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                  • String ID:
                                                                  • API String ID: 1352109105-0
                                                                  • Opcode ID: d17d2f141116159307f1ed169911afdb784b90cc9669643ec463f47c60477bc4
                                                                  • Instruction ID: 573502cc0876e7d89c4f52cb34182f99e332f9350aaea1086fb3893846ff2da9
                                                                  • Opcode Fuzzy Hash: d17d2f141116159307f1ed169911afdb784b90cc9669643ec463f47c60477bc4
                                                                  • Instruction Fuzzy Hash: 3E41A430600129DFCB21DF58E884B59BBF6FF49310F5480A9E458DB665D731E861CF92
                                                                  Function 00100AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00100B27
                                                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 00100B43
                                                                  • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00100BA9
                                                                  • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00100BFB
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                  • String ID:
                                                                  • API String ID: 432972143-0
                                                                  • Opcode ID: 60ed4a1d3d88e4c5a538baae0f668652f82ed0bb0eaac38ce92f611f946b899b
                                                                  • Instruction ID: 61f7640c1b3b6591c728581af19f94b4b76a43896adad82e68ffe46a9e424ee6
                                                                  • Opcode Fuzzy Hash: 60ed4a1d3d88e4c5a538baae0f668652f82ed0bb0eaac38ce92f611f946b899b
                                                                  • Instruction Fuzzy Hash: 0F315834D4061CAEFF368B298C05BFABBA9AF4D318F08436AF5C1521D1C3F889959751
                                                                  Function 00100C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 00100C66
                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00100C82
                                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 00100CE1
                                                                  • SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 00100D33
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                  • String ID:
                                                                  • API String ID: 432972143-0
                                                                  • Opcode ID: 1aff2e053e8448fdeb8dd342c843f28fb28e37314dd6615564d0fdbad5be99bf
                                                                  • Instruction ID: 48443613af059de792505ec689e096675cf301b34cc7b1f9113fcbb3443381d3
                                                                  • Opcode Fuzzy Hash: 1aff2e053e8448fdeb8dd342c843f28fb28e37314dd6615564d0fdbad5be99bf
                                                                  • Instruction Fuzzy Hash: A0314830900618AEFF368BA488147FEBB75AF4D310F04836FE4C1525D1C3B59D959761
                                                                  Function 000D61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000D61FB
                                                                  • __isleadbyte_l.LIBCMT ref: 000D6229
                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000D6257
                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000D628D
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                  • String ID:
                                                                  • API String ID: 3058430110-0
                                                                  • Opcode ID: 01e0abeab98559f04da9177ef4b8a21cb96f9a714c1dee2494ebc12cc4612451
                                                                  • Instruction ID: 76393d0d46031ea5626ba2d49d933a6fe57bd1012686ae1804a5cc1579bc2b25
                                                                  • Opcode Fuzzy Hash: 01e0abeab98559f04da9177ef4b8a21cb96f9a714c1dee2494ebc12cc4612451
                                                                  • Instruction Fuzzy Hash: E631AE31604746AFDB218FA5CC45BBA7BF9BF41310F15402AE864972A2D732D951DBA0
                                                                  Function 00124EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32 ref: 00124F02
                                                                    • Part of subcall function 00103641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0010365B
                                                                    • Part of subcall function 00103641: GetCurrentThreadId.KERNEL32 ref: 00103662
                                                                    • Part of subcall function 00103641: AttachThreadInput.USER32(00000000,?,00105005), ref: 00103669
                                                                  • GetCaretPos.USER32(?), ref: 00124F13
                                                                  • ClientToScreen.USER32(00000000,?), ref: 00124F4E
                                                                  • GetForegroundWindow.USER32 ref: 00124F54
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                  • String ID:
                                                                  • API String ID: 2759813231-0
                                                                  • Opcode ID: 4b47d2405e1237e85ed2e3a28cb272ba0aa4f9b0b5621cea2426939c5d7cba77
                                                                  • Instruction ID: 0f73ca8462381d43c48fb32f9a22c7581064e377ac83e06e22fa8253dfd7ae82
                                                                  • Opcode Fuzzy Hash: 4b47d2405e1237e85ed2e3a28cb272ba0aa4f9b0b5621cea2426939c5d7cba77
                                                                  • Instruction Fuzzy Hash: E7311E71E00108AFDB14EFA5C9859EFB7FDEF99300F10406AE455E7242DA759E458BA0
                                                                  Function 00103C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00103C7A
                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00103C88
                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00103CA8
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00103D52
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                  • String ID:
                                                                  • API String ID: 420147892-0
                                                                  • Opcode ID: 47a97cd64f28853237277f08a1a79cb9dd7d75f6a8330683aff8c8f9dbf091b7
                                                                  • Instruction ID: 09afa9ff673adc6be19bc692182648c4eedf1d8ba2b75ecfc9600c37831a4d27
                                                                  • Opcode Fuzzy Hash: 47a97cd64f28853237277f08a1a79cb9dd7d75f6a8330683aff8c8f9dbf091b7
                                                                  • Instruction Fuzzy Hash: 3B3193711083059FD314EF90CC85AEFBBF8AF95354F50092DF495861E2EBB19A4ACB52
                                                                  Function 000F8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000F810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000F8121
                                                                    • Part of subcall function 000F810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000F812B
                                                                    • Part of subcall function 000F810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F813A
                                                                    • Part of subcall function 000F810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 000F8141
                                                                    • Part of subcall function 000F810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F8157
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 000F86A3
                                                                  • _memcmp.LIBCMT ref: 000F86C6
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F86FC
                                                                  • HeapFree.KERNEL32(00000000), ref: 000F8703
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                                                  • String ID:
                                                                  • API String ID: 2182266621-0
                                                                  • Opcode ID: 63eeafbe7cdd3a75388037b810e372a2dc67c48197863aefd099c3203806551b
                                                                  • Instruction ID: 877a0f41e15acedccac12a5ca12ea57fe4c980669e358afd011c0f168908fbce
                                                                  • Opcode Fuzzy Hash: 63eeafbe7cdd3a75388037b810e372a2dc67c48197863aefd099c3203806551b
                                                                  • Instruction Fuzzy Hash: 6B216B71E00108EBDB14DFA4D949BFEB7F8EF44304F158059E644A7641EB30AE45DB50
                                                                  Function 000C098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __setmode.LIBCMT ref: 000C09AE
                                                                    • Part of subcall function 000A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00107896,?,?,00000000), ref: 000A5A2C
                                                                    • Part of subcall function 000A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00107896,?,?,00000000,?,?), ref: 000A5A50
                                                                  • _fprintf.LIBCMT ref: 000C09E5
                                                                  • OutputDebugStringW.KERNEL32(?), ref: 000F5DBB
                                                                    • Part of subcall function 000C4AAA: _flsall.LIBCMT ref: 000C4AC3
                                                                  • __setmode.LIBCMT ref: 000C0A1A
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                  • String ID:
                                                                  • API String ID: 521402451-0
                                                                  • Opcode ID: fb858dc7754356e4c29b13eb067d82e080beda2b89efb0e3cc1c82465947457f
                                                                  • Instruction ID: 3705d8c166dd5e0e202c9a6b02efb6ceba825c73467238454068386d1fd0b49d
                                                                  • Opcode Fuzzy Hash: fb858dc7754356e4c29b13eb067d82e080beda2b89efb0e3cc1c82465947457f
                                                                  • Instruction Fuzzy Hash: 46110231A04608BBDB04B3F49C46EFE77A8AF52321F20011DF20556183EF60484697A2
                                                                  Function 00111767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001117A3
                                                                    • Part of subcall function 0011182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0011184C
                                                                    • Part of subcall function 0011182D: InternetCloseHandle.WININET(00000000), ref: 001118E9
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$CloseConnectHandleOpen
                                                                  • String ID:
                                                                  • API String ID: 1463438336-0
                                                                  • Opcode ID: 09504016a91bd01e41b26013653dff90c54f7865a3b51203519202a651768ee3
                                                                  • Instruction ID: f5451aac7e814d0651d0a70a917ee15421fcdf44e01e02d673a144579fe95e2a
                                                                  • Opcode Fuzzy Hash: 09504016a91bd01e41b26013653dff90c54f7865a3b51203519202a651768ee3
                                                                  • Instruction Fuzzy Hash: 28218435200605BFEB1A9F60DC41FFAFBA9FF48710F10413EFA5596650D77198A297A0
                                                                  Function 00103A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(?,0012FAC0), ref: 00103A64
                                                                  • GetLastError.KERNEL32 ref: 00103A73
                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00103A82
                                                                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0012FAC0), ref: 00103ADF
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDirectory$AttributesErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 2267087916-0
                                                                  • Opcode ID: c6f143c78a4c52428b3e96d1ca0024ee4738dc181676167c40ddccfc2aa40343
                                                                  • Instruction ID: 52a49183b2ae0bd56ffeb3dcd4b9fcd2755d92e65054975a3bbfe008f8a8e126
                                                                  • Opcode Fuzzy Hash: c6f143c78a4c52428b3e96d1ca0024ee4738dc181676167c40ddccfc2aa40343
                                                                  • Instruction Fuzzy Hash: 12216074608201DFC710DF68D8818AAB7E8AF56764F104A2DF4E9C72E2D771DA46CB92
                                                                  Function 000D50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 000D5101
                                                                    • Part of subcall function 000C571C: __FF_MSGBANNER.LIBCMT ref: 000C5733
                                                                    • Part of subcall function 000C571C: __NMSG_WRITE.LIBCMT ref: 000C573A
                                                                    • Part of subcall function 000C571C: RtlAllocateHeap.NTDLL(01270000,00000000,00000001), ref: 000C575F
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap_free
                                                                  • String ID:
                                                                  • API String ID: 614378929-0
                                                                  • Opcode ID: d3e058b1d85cdc4727029131f95486bbf42f2440c3c55d774c18f73996993dff
                                                                  • Instruction ID: 3952f599a0aad7ae86a5d585ae6e90acdb4fe54721e4dd187f3349b755574a75
                                                                  • Opcode Fuzzy Hash: d3e058b1d85cdc4727029131f95486bbf42f2440c3c55d774c18f73996993dff
                                                                  • Instruction Fuzzy Hash: 4511A376504B11AECB312FB4AC45B9E3BE8AF543A2F10452FFD4596352DF308D8197A4
                                                                  Function 00116369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00107896,?,?,00000000), ref: 000A5A2C
                                                                    • Part of subcall function 000A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00107896,?,?,00000000,?,?), ref: 000A5A50
                                                                  • gethostbyname.WS2_32(?), ref: 00116399
                                                                  • WSAGetLastError.WS2_32(00000000), ref: 001163A4
                                                                  • _memmove.LIBCMT ref: 001163D1
                                                                  • inet_ntoa.WS2_32(?), ref: 001163DC
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                  • String ID:
                                                                  • API String ID: 1504782959-0
                                                                  • Opcode ID: a78cc5f0d63d495a47d7b1785c604af822be91a3fc6efdc9ba2383afa1cdc921
                                                                  • Instruction ID: d4df37a5e5a633b773df65623c07b2ffcff8d16db598e0bd60be0ce08a298006
                                                                  • Opcode Fuzzy Hash: a78cc5f0d63d495a47d7b1785c604af822be91a3fc6efdc9ba2383afa1cdc921
                                                                  • Instruction Fuzzy Hash: 4E117C31600109AFCB04EBE4DD46CEFB7B8BF15310B004039F505AB2A2DB31AE55DBA1
                                                                  Function 000F85B0 Relevance: 6.1, APIs: 4, Instructions: 61processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000F85E2
                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 000F85E9
                                                                  • CloseHandle.KERNEL32(00000004), ref: 000F8603
                                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000F8632
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                                                  • String ID:
                                                                  • API String ID: 2621361867-0
                                                                  • Opcode ID: 14743fd74063b00e0571c33db4c75138e7657982f37862ade8b9565f182fce2d
                                                                  • Instruction ID: 9041d0d2adf5aeae549c2f95b39211468c4410c0eec7721045671dfc645060b2
                                                                  • Opcode Fuzzy Hash: 14743fd74063b00e0571c33db4c75138e7657982f37862ade8b9565f182fce2d
                                                                  • Instruction Fuzzy Hash: AE11377250124DBFDF11CFA4ED48EEE7BB9EB08704F044069FE05A2560C6728D62EB20
                                                                  Function 000F8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 000F8B61
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000F8B73
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000F8B89
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000F8BA4
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 1d4ec401d324e08e822aed85f8a3f879b50ec764cfe3e0159a43d30ac9300767
                                                                  • Instruction ID: fd37f1e5b3ec8dd8509462b141ca72fd0cc37aa288d0b7bf29fb20dbed82edb5
                                                                  • Opcode Fuzzy Hash: 1d4ec401d324e08e822aed85f8a3f879b50ec764cfe3e0159a43d30ac9300767
                                                                  • Instruction Fuzzy Hash: 28110A79901218BFDB11DB95C885EEDBBB4EB48710F2040A5EA00B7250DB716E51EB94
                                                                  Function 00101142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000FFCED,?,00100D40,?,00008000), ref: 0010115F
                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,000FFCED,?,00100D40,?,00008000), ref: 00101184
                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000FFCED,?,00100D40,?,00008000), ref: 0010118E
                                                                  • Sleep.KERNEL32(?,?,?,?,?,?,?,000FFCED,?,00100D40,?,00008000), ref: 001011C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CounterPerformanceQuerySleep
                                                                  • String ID:
                                                                  • API String ID: 2875609808-0
                                                                  • Opcode ID: dd7f71ba97faab2d0fbcf7da09244df7257581b28b88a5872482b8de7460894e
                                                                  • Instruction ID: 5aeb946d00bffe9d7430f90028c36498c2b66bbb5052bbf8a7c77539ab863276
                                                                  • Opcode Fuzzy Hash: dd7f71ba97faab2d0fbcf7da09244df7257581b28b88a5872482b8de7460894e
                                                                  • Instruction Fuzzy Hash: 2A118E31C0061CF7CF08DFA4D848AEEBB78FF09711F414069EA80B2280CBB495A1CB91
                                                                  Function 000FD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 000FD84D
                                                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000FD864
                                                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000FD879
                                                                  • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 000FD897
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Type$Register$FileLoadModuleNameUser
                                                                  • String ID:
                                                                  • API String ID: 1352324309-0
                                                                  • Opcode ID: 8e582554d206ed01f97239ac54c63ffe44b320ca97db8d21b5a60d71edaa3a31
                                                                  • Instruction ID: 047eb59958794d7dce81ab2ecabef726bfdc91f217dc22768827ef80a40e3f85
                                                                  • Opcode Fuzzy Hash: 8e582554d206ed01f97239ac54c63ffe44b320ca97db8d21b5a60d71edaa3a31
                                                                  • Instruction Fuzzy Hash: FA115E75605308EBE3309F50DC08FA6BBBDEB40B40F10856EA616D6850DBB1E55BABA1
                                                                  Function 000D6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                  • String ID:
                                                                  • API String ID: 3016257755-0
                                                                  • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                  • Instruction ID: 7ba37ef8b5b3389f16d5f76ecdb90f3e6b14aa21293be9762e078aa85d1c1007
                                                                  • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                  • Instruction Fuzzy Hash: 28014E7244824AFBCF265F84DC05CED3F62BB18350B588456FA5C58271E237C9B1ABA1
                                                                  Function 0012B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 0012B2E4
                                                                  • ScreenToClient.USER32(?,?), ref: 0012B2FC
                                                                  • ScreenToClient.USER32(?,?), ref: 0012B320
                                                                  • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0012B33B
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                                  • String ID:
                                                                  • API String ID: 357397906-0
                                                                  • Opcode ID: 4e8c6f40b99110ce537f0fcf6a0a403f5e9a5f3ac340631040ce21afdf8e7e39
                                                                  • Instruction ID: 38910aa45d117c937f35dd963c145cfc8c9824742dcffdb5339623f87fe50b9a
                                                                  • Opcode Fuzzy Hash: 4e8c6f40b99110ce537f0fcf6a0a403f5e9a5f3ac340631040ce21afdf8e7e39
                                                                  • Instruction Fuzzy Hash: DE114779D00209EFDB51CF99D4849EEBBF5FF08310F104166E914E3620D735AA658F50
                                                                  Function 0012B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0012B644
                                                                  • _memset.LIBCMT ref: 0012B653
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00166F20,00166F64), ref: 0012B682
                                                                  • CloseHandle.KERNEL32 ref: 0012B694
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$CloseCreateHandleProcess
                                                                  • String ID:
                                                                  • API String ID: 3277943733-0
                                                                  • Opcode ID: dc9c2e9eaafad4e3a0b930daa8eef7eb5b6cb077efc5a063cba6527951a21cf8
                                                                  • Instruction ID: 609d6501f6cbe66f35298824e3c3d9cefd3f9a57142aaa201de4e66e9e562de6
                                                                  • Opcode Fuzzy Hash: dc9c2e9eaafad4e3a0b930daa8eef7eb5b6cb077efc5a063cba6527951a21cf8
                                                                  • Instruction Fuzzy Hash: 11F082B25403107BE3106771BC26FBB3A9CEB18395F004074FA09E9992D7B24C61C7A8
                                                                  Function 00106BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 00106BE6
                                                                    • Part of subcall function 001076C4: _memset.LIBCMT ref: 001076F9
                                                                  • _memmove.LIBCMT ref: 00106C09
                                                                  • _memset.LIBCMT ref: 00106C16
                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 00106C26
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                  • String ID:
                                                                  • API String ID: 48991266-0
                                                                  • Opcode ID: bf6aaee4809d95c83f26ad54c41a2a6f7979ea7e0eccd26ecd19e9c51383a6db
                                                                  • Instruction ID: d372b7f4cbb2c6a1d2c2661455fecca6789d36d15bdcb2b3b53271eafddca5f5
                                                                  • Opcode Fuzzy Hash: bf6aaee4809d95c83f26ad54c41a2a6f7979ea7e0eccd26ecd19e9c51383a6db
                                                                  • Instruction Fuzzy Hash: 25F0543A100100BBCF016F95DC85E8ABB29EF55320F048065FE095E267CB71E852CBB4
                                                                  Function 000A2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(00000008), ref: 000A2231
                                                                  • SetTextColor.GDI32(?,000000FF), ref: 000A223B
                                                                  • SetBkMode.GDI32(?,00000001), ref: 000A2250
                                                                  • GetStockObject.GDI32(00000005), ref: 000A2258
                                                                  • GetWindowDC.USER32(?,00000000), ref: 000DBE83
                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 000DBE90
                                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 000DBEA9
                                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 000DBEC2
                                                                  • GetPixel.GDI32(00000000,?,?), ref: 000DBEE2
                                                                  • ReleaseDC.USER32(?,00000000), ref: 000DBEED
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                  • String ID:
                                                                  • API String ID: 1946975507-0
                                                                  • Opcode ID: 6671ff2b53ffe26fe87159b7999f5882de88fb702c52eeb51d29dc5c8a7c9b97
                                                                  • Instruction ID: 10bd625fe8e207236a21ba585a4f6439b85629adb468ca83f6539d4956f29ab1
                                                                  • Opcode Fuzzy Hash: 6671ff2b53ffe26fe87159b7999f5882de88fb702c52eeb51d29dc5c8a7c9b97
                                                                  • Instruction Fuzzy Hash: 4EE03932104244FADB615FA8EC0DBD83B60EB05332F00837AFA69880E1877149A2DB22
                                                                  Function 000F8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThread.KERNEL32 ref: 000F871B
                                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,000F82E6), ref: 000F8722
                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000F82E6), ref: 000F872F
                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,000F82E6), ref: 000F8736
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentOpenProcessThreadToken
                                                                  • String ID:
                                                                  • API String ID: 3974789173-0
                                                                  • Opcode ID: dcdd25b85f8fee16c9e26d27ce7cb0b627184511aefc98a28ab28b0c1cc2b4d7
                                                                  • Instruction ID: 807f77c01eccbe345990f9cd953fce687abffb243351639c320d948fda081327
                                                                  • Opcode Fuzzy Hash: dcdd25b85f8fee16c9e26d27ce7cb0b627184511aefc98a28ab28b0c1cc2b4d7
                                                                  • Instruction Fuzzy Hash: 25E04F36615311EBD770AFB06D0CB973BB8EF55791F14883CB245C9440DA248493D750
                                                                  Function 000FB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 000FB4BE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ContainedObject
                                                                  • String ID: AutoIt3GUI$Container
                                                                  • API String ID: 3565006973-3941886329
                                                                  • Opcode ID: d60cbd0613a8178fb485bdbb6791be87790e884eb19be5b8635b2f9056cf1652
                                                                  • Instruction ID: cc9600659058cd31e3f2802b08e81033cf46f31808a1edc234ede2847a6a9a59
                                                                  • Opcode Fuzzy Hash: d60cbd0613a8178fb485bdbb6791be87790e884eb19be5b8635b2f9056cf1652
                                                                  • Instruction Fuzzy Hash: 12915870200605AFDB64DF64C884B6AB7E9FF48B00F20846DFA4ACB691DB71E841DF50
                                                                  Function 0010AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000BFC86: _wcscpy.LIBCMT ref: 000BFCA9
                                                                    • Part of subcall function 000A9837: __itow.LIBCMT ref: 000A9862
                                                                    • Part of subcall function 000A9837: __swprintf.LIBCMT ref: 000A98AC
                                                                  • __wcsnicmp.LIBCMT ref: 0010B02D
                                                                  • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0010B0F6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                  • String ID: LPT
                                                                  • API String ID: 3222508074-1350329615
                                                                  • Opcode ID: 58c2ee660a7fdf4da5ae1a325be331e2379962143cb8ee1674656f508b93b399
                                                                  • Instruction ID: 3960b4df2186df66027dff7175f76cc1ccb25adb11e8539c96911604e4e523e8
                                                                  • Opcode Fuzzy Hash: 58c2ee660a7fdf4da5ae1a325be331e2379962143cb8ee1674656f508b93b399
                                                                  • Instruction Fuzzy Hash: 6461A075A04219EFCB18DF94D891EFEB7B4EF09710F114069F956AB291DBB0AE80CB50
                                                                  Function 000B2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000), ref: 000B2968
                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 000B2981
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemorySleepStatus
                                                                  • String ID: @
                                                                  • API String ID: 2783356886-2766056989
                                                                  • Opcode ID: a074f9c67c0d1f514fa0355703151428e8a1c9424ee08dc120b2bd2714804b76
                                                                  • Instruction ID: e8dbd473b19bdc82f665475ce220d7308709f964835b8f79915ff157de929bdf
                                                                  • Opcode Fuzzy Hash: a074f9c67c0d1f514fa0355703151428e8a1c9424ee08dc120b2bd2714804b76
                                                                  • Instruction Fuzzy Hash: F7514771518744ABE320EF50D886BEFBBE8FB86344F41885DF2D8410A2DF358569CB66
                                                                  Function 00109734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A4F0B: __fread_nolock.LIBCMT ref: 000A4F29
                                                                  • _wcscmp.LIBCMT ref: 00109824
                                                                  • _wcscmp.LIBCMT ref: 00109837
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscmp$__fread_nolock
                                                                  • String ID: FILE
                                                                  • API String ID: 4029003684-3121273764
                                                                  • Opcode ID: 8e472e865cced5fe04272bbfd3b73c2e90e96f13e6fd1a6a301c4ed25a2d202c
                                                                  • Instruction ID: 66eaebff88700709a0bab95d962f9a7ed0cedef82762302d83cca41b8d369c16
                                                                  • Opcode Fuzzy Hash: 8e472e865cced5fe04272bbfd3b73c2e90e96f13e6fd1a6a301c4ed25a2d202c
                                                                  • Instruction Fuzzy Hash: 42419575A00219BADF219AE4CC56FEFB7B9DF86710F00447AF944A7182DBB199048B61
                                                                  Function 0011258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0011259E
                                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001125D4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CrackInternet_memset
                                                                  • String ID: |
                                                                  • API String ID: 1413715105-2343686810
                                                                  • Opcode ID: 686fe055fa129613a74c4c14a0083df049692e0f70f3afe5d8a6f1d038feffd7
                                                                  • Instruction ID: 242cfce5a9a61a2d27ba3457c2d9d2a235ab197e262599cfceb811b67046c4ff
                                                                  • Opcode Fuzzy Hash: 686fe055fa129613a74c4c14a0083df049692e0f70f3afe5d8a6f1d038feffd7
                                                                  • Instruction Fuzzy Hash: 4031F471804219EBCF15EFA0CC85EEEBFB9FF09350F104069ED19A6162EB315956DB60
                                                                  Function 00127A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00127B61
                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00127B76
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: '
                                                                  • API String ID: 3850602802-1997036262
                                                                  • Opcode ID: 34e91f5c089b3c7c74e63e7973fdbf81814a8d86df43417fd103a7b378d55c0a
                                                                  • Instruction ID: 918edae67d861860357a6e53560176eb4728c18f54ba7a554b0b9db87b6c6bd9
                                                                  • Opcode Fuzzy Hash: 34e91f5c089b3c7c74e63e7973fdbf81814a8d86df43417fd103a7b378d55c0a
                                                                  • Instruction Fuzzy Hash: 27413874A0521A9FDB14CF68D980BEABBB9FF08310F14016AE904EB381D770A961CF90
                                                                  Function 00126A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 00126B17
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00126B53
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$DestroyMove
                                                                  • String ID: static
                                                                  • API String ID: 2139405536-2160076837
                                                                  • Opcode ID: ebe7c1f60cdc32a1b7accf1f7ba8720d5f0aa46bdd5c3318b8e983af5f94ea71
                                                                  • Instruction ID: 196e2c174a5a6f864ba88c559c502ad53b2847cec881cd1156187e0eef362294
                                                                  • Opcode Fuzzy Hash: ebe7c1f60cdc32a1b7accf1f7ba8720d5f0aa46bdd5c3318b8e983af5f94ea71
                                                                  • Instruction Fuzzy Hash: 4C316D71200614AEDB109F68DC81AFB77B9FF48760F10862DF9A9D7190DB35ACA2C760
                                                                  Function 001028A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00102911
                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0010294C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: InfoItemMenu_memset
                                                                  • String ID: 0
                                                                  • API String ID: 2223754486-4108050209
                                                                  • Opcode ID: 261bb29b1fd9306503fcb1a6943edd7f69a793b8b27290fe0b183dcf10c72b7c
                                                                  • Instruction ID: 5870e5f11bd179915a9dd2b64539e21a6d842d7053c75dd9ce0e00cb31ab390b
                                                                  • Opcode Fuzzy Hash: 261bb29b1fd9306503fcb1a6943edd7f69a793b8b27290fe0b183dcf10c72b7c
                                                                  • Instruction Fuzzy Hash: 80319131600315EBEF28CF98C989BAEBBF9EF45358F144029E9C5A61E1D7F09944CB51
                                                                  Function 001139E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __snwprintf.LIBCMT ref: 00113A66
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: __snwprintf_memmove
                                                                  • String ID: , $$AUTOITCALLVARIABLE%d
                                                                  • API String ID: 3506404897-2584243854
                                                                  • Opcode ID: d4a86a92a1d43aac673c218fa23d36c81f4612b95bdca270f9eb9efa696543cc
                                                                  • Instruction ID: d1e90c49b38f8eeeef4d5934cfb9c3993d7a731750899656755a4b94bab65047
                                                                  • Opcode Fuzzy Hash: d4a86a92a1d43aac673c218fa23d36c81f4612b95bdca270f9eb9efa696543cc
                                                                  • Instruction Fuzzy Hash: E4218D30600219AFCF14EFA4DC82EEE77B5AF45310F404468F969BB186DB30EA85CB61
                                                                  Function 001266D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00126761
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0012676C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: Combobox
                                                                  • API String ID: 3850602802-2096851135
                                                                  • Opcode ID: e1c5b7feec51fe016adfa4ff4b8f2d64e0777a5d87ab7773384f0b6f833de3bf
                                                                  • Instruction ID: 95aeb124a38f27b643d6fca649a11b7c72cf532c084200ae91f6284c8b5d6a9d
                                                                  • Opcode Fuzzy Hash: e1c5b7feec51fe016adfa4ff4b8f2d64e0777a5d87ab7773384f0b6f833de3bf
                                                                  • Instruction Fuzzy Hash: 0B11B275200218AFEF218F54EC80EEB376BEB48368F100129F9149B2D0D771DC6197A0
                                                                  Function 00126C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000A1D73
                                                                    • Part of subcall function 000A1D35: GetStockObject.GDI32(00000011), ref: 000A1D87
                                                                    • Part of subcall function 000A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000A1D91
                                                                  • GetWindowRect.USER32(00000000,?), ref: 00126C71
                                                                  • GetSysColor.USER32(00000012), ref: 00126C8B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                  • String ID: static
                                                                  • API String ID: 1983116058-2160076837
                                                                  • Opcode ID: 6d7e915695354507be951c44f8debd7ebca0987cdc518e97d230c1e5a49bde28
                                                                  • Instruction ID: f80062260a398f3adae5069292393af4bd98ea1f6b903e2539baca306dff8ead
                                                                  • Opcode Fuzzy Hash: 6d7e915695354507be951c44f8debd7ebca0987cdc518e97d230c1e5a49bde28
                                                                  • Instruction Fuzzy Hash: 0421267261021AAFDF14DFA8DC45EEA7BB8FB08314F004629F995D2290D735E861DB60
                                                                  Function 00126920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 001269A2
                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001269B1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: LengthMessageSendTextWindow
                                                                  • String ID: edit
                                                                  • API String ID: 2978978980-2167791130
                                                                  • Opcode ID: f8100c753a722ba0f0d5e7a279890e3fc70a558a14fad724c4c1de4604cd5bf0
                                                                  • Instruction ID: fea640042b7a9d6c36f156d6514382d827aeb4d40c450409ecdb61f1415f3cd2
                                                                  • Opcode Fuzzy Hash: f8100c753a722ba0f0d5e7a279890e3fc70a558a14fad724c4c1de4604cd5bf0
                                                                  • Instruction Fuzzy Hash: 5C114F71500124AFEF108F64EC45EEB3769EB05378F504728F9A5971E0CB75DCA19760
                                                                  Function 001029AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00102A22
                                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00102A41
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: InfoItemMenu_memset
                                                                  • String ID: 0
                                                                  • API String ID: 2223754486-4108050209
                                                                  • Opcode ID: cde5e52e137e35103fbd644ee16b8925863a29aa53f81f544ea2ccf94b9189b3
                                                                  • Instruction ID: a71357989515be133858869493ae55bbe969fcf34681835961cf1c79f7e26891
                                                                  • Opcode Fuzzy Hash: cde5e52e137e35103fbd644ee16b8925863a29aa53f81f544ea2ccf94b9189b3
                                                                  • Instruction Fuzzy Hash: 9311E232A01124EBCF34DF98DC48BAA77B9AB45344F154061E895E76D0DBB0AD0AC791
                                                                  Function 001121D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0011222C
                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00112255
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$OpenOption
                                                                  • String ID: <local>
                                                                  • API String ID: 942729171-4266983199
                                                                  • Opcode ID: b6b9281384ab8f8fa5324fe1598a09963d571773f8b0792b888bb497fe1e64e9
                                                                  • Instruction ID: 838149780b079993e65bb14fe21060b39cc8dddc2be9f00a8ca46cbfd40cb585
                                                                  • Opcode Fuzzy Hash: b6b9281384ab8f8fa5324fe1598a09963d571773f8b0792b888bb497fe1e64e9
                                                                  • Instruction Fuzzy Hash: F6110E70501225BADB2C8F118C88EFBFBA8FF1A351F10823AF91586000E3B058E5DAF0
                                                                  Function 000F8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                    • Part of subcall function 000FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000FAABC
                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000F8E73
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameSend_memmove
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 372448540-1403004172
                                                                  • Opcode ID: db786b1a79387efa4bcb7f431190ae1a6c3b413927360e8591d915be5e73045e
                                                                  • Instruction ID: 8b537c0beb1c0d4b17818de93259b0d042d4b03c228fd176d3b943eebe5951e6
                                                                  • Opcode Fuzzy Hash: db786b1a79387efa4bcb7f431190ae1a6c3b413927360e8591d915be5e73045e
                                                                  • Instruction Fuzzy Hash: 0601F1B1701218ABCB14EBE0CC468FE7368EF06320B004A19B9355B6E2EF31580CE750
                                                                  Function 000F8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                    • Part of subcall function 000FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000FAABC
                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 000F8D6B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameSend_memmove
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 372448540-1403004172
                                                                  • Opcode ID: fc96d05769f515091c95413fa99e013f877078359d14094d365a9a4a9d80575a
                                                                  • Instruction ID: 8f04fb240269b9e39ba79a7eb27001d51cedd8b6b299d2277a3b91df41a7a66d
                                                                  • Opcode Fuzzy Hash: fc96d05769f515091c95413fa99e013f877078359d14094d365a9a4a9d80575a
                                                                  • Instruction Fuzzy Hash: C801B1B1B4110CABCB24EBE0CD52AFF77A89F16300F104019B9156B6D2DE145A0CA262
                                                                  Function 000F8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000A7DE1: _memmove.LIBCMT ref: 000A7E22
                                                                    • Part of subcall function 000FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 000FAABC
                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 000F8DEE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameSend_memmove
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 372448540-1403004172
                                                                  • Opcode ID: cdff86fd187f1d106f984558ead3e78bdb52c25c861f91327e7692ba57e6994d
                                                                  • Instruction ID: b7059ffa385f6289c0fbebfd6e402bb25e38d4477c625ce180810353e72a23b0
                                                                  • Opcode Fuzzy Hash: cdff86fd187f1d106f984558ead3e78bdb52c25c861f91327e7692ba57e6994d
                                                                  • Instruction Fuzzy Hash: 0C0184B1A41109A7DB25E6E4CD42AFF77A89F16300F104019B916676D2DA154E0DE271
                                                                  Function 00104F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: ClassName_wcscmp
                                                                  • String ID: #32770
                                                                  • API String ID: 2292705959-463685578
                                                                  • Opcode ID: 7f720161b7c9ea295aef7070e9e3c02be7f80b3a050e7ffe5df9234123962dbb
                                                                  • Instruction ID: ac59521651e08949f2ea6c5d635df4304e2a3651257db46e914be87bc00c539c
                                                                  • Opcode Fuzzy Hash: 7f720161b7c9ea295aef7070e9e3c02be7f80b3a050e7ffe5df9234123962dbb
                                                                  • Instruction Fuzzy Hash: E6E0D13350022967D7209B599C45FA7F7BCDB45B71F00006BFD04D7051D6609B5687D0
                                                                  Function 000DB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000DB314: _memset.LIBCMT ref: 000DB321
                                                                    • Part of subcall function 000C0940: InitializeCriticalSectionAndSpinCount.KERNEL32(00164158,00000000,00164144,000DB2F0,?,?,?,000A100A), ref: 000C0945
                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,000A100A), ref: 000DB2F4
                                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000A100A), ref: 000DB303
                                                                  Strings
                                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000DB2FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                  • API String ID: 3158253471-631824599
                                                                  • Opcode ID: d7348a44e9871629396867c8145eb763cd383cf411b86043718604e72d001374
                                                                  • Instruction ID: 23b0976415b0b5b85ddfbd6ef49adf37789c8bdb66486533c7aaeb8f57dca76f
                                                                  • Opcode Fuzzy Hash: d7348a44e9871629396867c8145eb763cd383cf411b86043718604e72d001374
                                                                  • Instruction Fuzzy Hash: C6E03270200710CBD720AF68E904B867AE8EF00744F018A2EE486C6B51EBB4E586CBB1
                                                                  Function 000F7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000F7C82
                                                                    • Part of subcall function 000C3358: _doexit.LIBCMT ref: 000C3362
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Message_doexit
                                                                  • String ID: AutoIt$Error allocating memory.
                                                                  • API String ID: 1993061046-4017498283
                                                                  • Opcode ID: 678d273a5d71b86c6d624958c63da5025a07da74fbf90173795f8fcaec31f082
                                                                  • Instruction ID: 2dd4b25e2d6c25a520e82c13bca40aa7d5b6b11c4593ea58ec8956bdbfb0bd90
                                                                  • Opcode Fuzzy Hash: 678d273a5d71b86c6d624958c63da5025a07da74fbf90173795f8fcaec31f082
                                                                  • Instruction Fuzzy Hash: 2DD05B323C435C76D11533A9BC07FDE75888F05B52F144429FF08995D34AD5499151E5
                                                                  Function 000E1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemDirectoryW.KERNEL32(?), ref: 000E1775
                                                                    • Part of subcall function 0011BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,000E195E,?), ref: 0011BFFE
                                                                    • Part of subcall function 0011BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0011C010
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 000E196D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                  • String ID: WIN_XPe
                                                                  • API String ID: 582185067-3257408948
                                                                  • Opcode ID: 83836703e42ba59d65905ade6c023cd30bba2ecc76e7a9a39aeca2bcad82c3f8
                                                                  • Instruction ID: ff0c4625c24ed86987d4495b7619a68ab7f2e0a27b9ef10600a41c97dfb7a06f
                                                                  • Opcode Fuzzy Hash: 83836703e42ba59d65905ade6c023cd30bba2ecc76e7a9a39aeca2bcad82c3f8
                                                                  • Instruction Fuzzy Hash: 3CF0ED71808149EFDB25DB92C988AECBBF8BB18701F5400AAE142B6590D7714FC6DF61
                                                                  Function 00125964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0012596E
                                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00125981
                                                                    • Part of subcall function 00105244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001052BC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: FindMessagePostSleepWindow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 529655941-2988720461
                                                                  • Opcode ID: 44181f7fb6610f3e3976c90e68a567be8e6dd9e413a9f86f6de86b0baff43900
                                                                  • Instruction ID: 4574328917cefde8b296839a0ee5a7604b6e50803c1a5824e82b2a65377f481c
                                                                  • Opcode Fuzzy Hash: 44181f7fb6610f3e3976c90e68a567be8e6dd9e413a9f86f6de86b0baff43900
                                                                  • Instruction Fuzzy Hash: F4D0C931394311B6E674BB709C0BFD76A25AF10B51F000839B699AA5D0DAE09852CA54
                                                                  Function 00125998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001259AE
                                                                  • PostMessageW.USER32(00000000), ref: 001259B5
                                                                    • Part of subcall function 00105244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001052BC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1326919453.00000000000A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 000A0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1326899137.00000000000A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.0000000000154000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000015E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.000000000016D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1326919453.00000000001A4000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327111505.00000000001AA000.00000080.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1327132281.00000000001AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_a0000_EmbeddedExe1.jbxd
                                                                  Similarity
                                                                  • API ID: FindMessagePostSleepWindow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 529655941-2988720461
                                                                  • Opcode ID: 70785b4adb7ed7270f956d2767cdd507fc01e7c1d0911511735b47525955048a
                                                                  • Instruction ID: 930e3dde1befd32944069ae83746b32c8b240f6140466015fde516e26fbb7c0b
                                                                  • Opcode Fuzzy Hash: 70785b4adb7ed7270f956d2767cdd507fc01e7c1d0911511735b47525955048a
                                                                  • Instruction Fuzzy Hash: 17D0C931380311BAE674BB709C0BFD76A25AF14B51F000839B695AA5D0DAE0A852CA54