Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
C2R7VV2QmG.exe

Overview

General Information

Sample name:C2R7VV2QmG.exe
renamed because original name is a hash value
Original sample name:4108277feb47e70ea76dea706b8a8e7ed1dc94575c1ed200e78073b4d97185a2.exe
Analysis ID:1588752
MD5:ac26baf5b7b03aa4046b2c2413a4c2c2
SHA1:4cc0593d71b377a7b5ffc9fa578dcb8dd374f4ea
SHA256:4108277feb47e70ea76dea706b8a8e7ed1dc94575c1ed200e78073b4d97185a2
Tags:exeuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • C2R7VV2QmG.exe (PID: 1364 cmdline: "C:\Users\user\Desktop\C2R7VV2QmG.exe" MD5: AC26BAF5B7B03AA4046B2C2413A4C2C2)
    • lecheries.exe (PID: 4152 cmdline: "C:\Users\user\Desktop\C2R7VV2QmG.exe" MD5: AC26BAF5B7B03AA4046B2C2413A4C2C2)
  • wscript.exe (PID: 2100 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • lecheries.exe (PID: 6676 cmdline: "C:\Users\user\AppData\Local\differences\lecheries.exe" MD5: AC26BAF5B7B03AA4046B2C2413A4C2C2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["150.26:8787:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R1T905", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.3909263526.0000000001430000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000002.00000002.3909143044.0000000001336000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000002.00000002.3909719441.0000000003FDE000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 33 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.lecheries.exe.3b20000.2.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                2.2.lecheries.exe.3b20000.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  2.2.lecheries.exe.3b20000.2.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    2.2.lecheries.exe.3b20000.2.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x69ef8:$a1: Remcos restarted by watchdog!
                    • 0x6a470:$a3: %02i:%02i:%02i:%03i
                    2.2.lecheries.exe.3b20000.2.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x64194:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x64204:$str_b2: Executing file:
                    • 0x6503c:$str_b3: GetDirectListeningPort
                    • 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x64b80:$str_b7: \update.vbs
                    • 0x6422c:$str_b9: Downloaded file:
                    • 0x64218:$str_b10: Downloading file:
                    • 0x642bc:$str_b12: Failed to upload file:
                    • 0x65004:$str_b13: StartForward
                    • 0x65024:$str_b14: StopForward
                    • 0x64ad8:$str_b15: fso.DeleteFile "
                    • 0x64a6c:$str_b16: On Error Resume Next
                    • 0x64b08:$str_b17: fso.DeleteFolder "
                    • 0x642ac:$str_b18: Uploaded file:
                    • 0x6426c:$str_b19: Unable to delete:
                    • 0x64aa0:$str_b20: while fso.FileExists("
                    • 0x64749:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 43 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" , ProcessId: 2100, ProcessName: wscript.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs" , ProcessId: 2100, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\differences\lecheries.exe, ProcessId: 4152, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\differences\lecheries.exe, ProcessId: 4152, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T05:04:33.829867+010020327761Malware Command and Control Activity Detected192.168.2.849704192.210.150.268787TCP
                    2025-01-11T05:04:36.236980+010020327761Malware Command and Control Activity Detected192.168.2.849705192.210.150.268787TCP
                    2025-01-11T05:04:38.646907+010020327761Malware Command and Control Activity Detected192.168.2.849706192.210.150.268787TCP
                    2025-01-11T05:04:41.080814+010020327761Malware Command and Control Activity Detected192.168.2.849707192.210.150.268787TCP
                    2025-01-11T05:04:43.524946+010020327761Malware Command and Control Activity Detected192.168.2.849708192.210.150.268787TCP
                    2025-01-11T05:04:45.981800+010020327761Malware Command and Control Activity Detected192.168.2.849709192.210.150.268787TCP
                    2025-01-11T05:04:48.424274+010020327761Malware Command and Control Activity Detected192.168.2.849711192.210.150.268787TCP
                    2025-01-11T05:04:50.835276+010020327761Malware Command and Control Activity Detected192.168.2.849713192.210.150.268787TCP
                    2025-01-11T05:04:53.268367+010020327761Malware Command and Control Activity Detected192.168.2.849714192.210.150.268787TCP
                    2025-01-11T05:04:55.705514+010020327761Malware Command and Control Activity Detected192.168.2.849715192.210.150.268787TCP
                    2025-01-11T05:04:58.146463+010020327761Malware Command and Control Activity Detected192.168.2.849716192.210.150.268787TCP
                    2025-01-11T05:05:00.614118+010020327761Malware Command and Control Activity Detected192.168.2.849717192.210.150.268787TCP
                    2025-01-11T05:05:03.034193+010020327761Malware Command and Control Activity Detected192.168.2.849718192.210.150.268787TCP
                    2025-01-11T05:05:05.498290+010020327761Malware Command and Control Activity Detected192.168.2.849719192.210.150.268787TCP
                    2025-01-11T05:05:07.943150+010020327761Malware Command and Control Activity Detected192.168.2.849720192.210.150.268787TCP
                    2025-01-11T05:05:10.362142+010020327761Malware Command and Control Activity Detected192.168.2.849721192.210.150.268787TCP
                    2025-01-11T05:05:12.799585+010020327761Malware Command and Control Activity Detected192.168.2.849722192.210.150.268787TCP
                    2025-01-11T05:05:15.237322+010020327761Malware Command and Control Activity Detected192.168.2.849723192.210.150.268787TCP
                    2025-01-11T05:05:17.674647+010020327761Malware Command and Control Activity Detected192.168.2.849724192.210.150.268787TCP
                    2025-01-11T05:05:20.096378+010020327761Malware Command and Control Activity Detected192.168.2.849725192.210.150.268787TCP
                    2025-01-11T05:05:22.554072+010020327761Malware Command and Control Activity Detected192.168.2.849726192.210.150.268787TCP
                    2025-01-11T05:05:25.002607+010020327761Malware Command and Control Activity Detected192.168.2.849727192.210.150.268787TCP
                    2025-01-11T05:05:27.443758+010020327761Malware Command and Control Activity Detected192.168.2.849729192.210.150.268787TCP
                    2025-01-11T05:05:29.877425+010020327761Malware Command and Control Activity Detected192.168.2.849730192.210.150.268787TCP
                    2025-01-11T05:05:32.346578+010020327761Malware Command and Control Activity Detected192.168.2.849731192.210.150.268787TCP
                    2025-01-11T05:05:34.816555+010020327761Malware Command and Control Activity Detected192.168.2.849732192.210.150.268787TCP
                    2025-01-11T05:05:37.252741+010020327761Malware Command and Control Activity Detected192.168.2.849733192.210.150.268787TCP
                    2025-01-11T05:05:39.675269+010020327761Malware Command and Control Activity Detected192.168.2.849734192.210.150.268787TCP
                    2025-01-11T05:05:42.102289+010020327761Malware Command and Control Activity Detected192.168.2.849735192.210.150.268787TCP
                    2025-01-11T05:05:44.549270+010020327761Malware Command and Control Activity Detected192.168.2.849736192.210.150.268787TCP
                    2025-01-11T05:05:46.987005+010020327761Malware Command and Control Activity Detected192.168.2.849737192.210.150.268787TCP
                    2025-01-11T05:05:49.425419+010020327761Malware Command and Control Activity Detected192.168.2.849744192.210.150.268787TCP
                    2025-01-11T05:05:51.861657+010020327761Malware Command and Control Activity Detected192.168.2.849763192.210.150.268787TCP
                    2025-01-11T05:05:54.236881+010020327761Malware Command and Control Activity Detected192.168.2.849780192.210.150.268787TCP
                    2025-01-11T05:05:56.596060+010020327761Malware Command and Control Activity Detected192.168.2.849794192.210.150.268787TCP
                    2025-01-11T05:05:58.909778+010020327761Malware Command and Control Activity Detected192.168.2.849811192.210.150.268787TCP
                    2025-01-11T05:06:01.236794+010020327761Malware Command and Control Activity Detected192.168.2.849826192.210.150.268787TCP
                    2025-01-11T05:06:03.503149+010020327761Malware Command and Control Activity Detected192.168.2.849842192.210.150.268787TCP
                    2025-01-11T05:06:05.752616+010020327761Malware Command and Control Activity Detected192.168.2.849858192.210.150.268787TCP
                    2025-01-11T05:06:08.142992+010020327761Malware Command and Control Activity Detected192.168.2.849873192.210.150.268787TCP
                    2025-01-11T05:06:10.330627+010020327761Malware Command and Control Activity Detected192.168.2.849886192.210.150.268787TCP
                    2025-01-11T05:06:12.487074+010020327761Malware Command and Control Activity Detected192.168.2.849902192.210.150.268787TCP
                    2025-01-11T05:06:14.643328+010020327761Malware Command and Control Activity Detected192.168.2.849917192.210.150.268787TCP
                    2025-01-11T05:06:16.770519+010020327761Malware Command and Control Activity Detected192.168.2.849933192.210.150.268787TCP
                    2025-01-11T05:06:18.861440+010020327761Malware Command and Control Activity Detected192.168.2.849949192.210.150.268787TCP
                    2025-01-11T05:06:20.944698+010020327761Malware Command and Control Activity Detected192.168.2.849960192.210.150.268787TCP
                    2025-01-11T05:06:22.970997+010020327761Malware Command and Control Activity Detected192.168.2.849976192.210.150.268787TCP
                    2025-01-11T05:06:24.987571+010020327761Malware Command and Control Activity Detected192.168.2.849987192.210.150.268787TCP
                    2025-01-11T05:06:27.018240+010020327761Malware Command and Control Activity Detected192.168.2.850003192.210.150.268787TCP
                    2025-01-11T05:06:29.005057+010020327761Malware Command and Control Activity Detected192.168.2.850016192.210.150.268787TCP
                    2025-01-11T05:06:31.002303+010020327761Malware Command and Control Activity Detected192.168.2.850024192.210.150.268787TCP
                    2025-01-11T05:06:32.955479+010020327761Malware Command and Control Activity Detected192.168.2.850026192.210.150.268787TCP
                    2025-01-11T05:06:34.880736+010020327761Malware Command and Control Activity Detected192.168.2.850027192.210.150.268787TCP
                    2025-01-11T05:06:36.844151+010020327761Malware Command and Control Activity Detected192.168.2.850028192.210.150.268787TCP
                    2025-01-11T05:06:38.784842+010020327761Malware Command and Control Activity Detected192.168.2.850029192.210.150.268787TCP
                    2025-01-11T05:06:40.660541+010020327761Malware Command and Control Activity Detected192.168.2.850030192.210.150.268787TCP
                    2025-01-11T05:06:42.817677+010020327761Malware Command and Control Activity Detected192.168.2.850031192.210.150.268787TCP
                    2025-01-11T05:06:44.659217+010020327761Malware Command and Control Activity Detected192.168.2.850032192.210.150.268787TCP
                    2025-01-11T05:06:46.486761+010020327761Malware Command and Control Activity Detected192.168.2.850033192.210.150.268787TCP
                    2025-01-11T05:06:48.302613+010020327761Malware Command and Control Activity Detected192.168.2.850034192.210.150.268787TCP
                    2025-01-11T05:06:50.111797+010020327761Malware Command and Control Activity Detected192.168.2.850035192.210.150.268787TCP
                    2025-01-11T05:06:51.924714+010020327761Malware Command and Control Activity Detected192.168.2.850036192.210.150.268787TCP
                    2025-01-11T05:06:53.705358+010020327761Malware Command and Control Activity Detected192.168.2.850037192.210.150.268787TCP
                    2025-01-11T05:06:55.487267+010020327761Malware Command and Control Activity Detected192.168.2.850038192.210.150.268787TCP
                    2025-01-11T05:06:57.299114+010020327761Malware Command and Control Activity Detected192.168.2.850039192.210.150.268787TCP
                    2025-01-11T05:06:59.064638+010020327761Malware Command and Control Activity Detected192.168.2.850040192.210.150.268787TCP
                    2025-01-11T05:07:00.834175+010020327761Malware Command and Control Activity Detected192.168.2.850041192.210.150.268787TCP
                    2025-01-11T05:07:02.607900+010020327761Malware Command and Control Activity Detected192.168.2.850042192.210.150.268787TCP
                    2025-01-11T05:07:04.377533+010020327761Malware Command and Control Activity Detected192.168.2.850043192.210.150.268787TCP
                    2025-01-11T05:07:06.095882+010020327761Malware Command and Control Activity Detected192.168.2.850044192.210.150.268787TCP
                    2025-01-11T05:07:07.830713+010020327761Malware Command and Control Activity Detected192.168.2.850045192.210.150.268787TCP
                    2025-01-11T05:07:09.517587+010020327761Malware Command and Control Activity Detected192.168.2.850046192.210.150.268787TCP
                    2025-01-11T05:07:11.205255+010020327761Malware Command and Control Activity Detected192.168.2.850047192.210.150.268787TCP
                    2025-01-11T05:07:12.913272+010020327761Malware Command and Control Activity Detected192.168.2.850048192.210.150.268787TCP
                    2025-01-11T05:07:14.597616+010020327761Malware Command and Control Activity Detected192.168.2.850049192.210.150.268787TCP
                    2025-01-11T05:07:16.283629+010020327761Malware Command and Control Activity Detected192.168.2.850050192.210.150.268787TCP
                    2025-01-11T05:07:17.924125+010020327761Malware Command and Control Activity Detected192.168.2.850051192.210.150.268787TCP
                    2025-01-11T05:07:19.564975+010020327761Malware Command and Control Activity Detected192.168.2.850052192.210.150.268787TCP
                    2025-01-11T05:07:21.206423+010020327761Malware Command and Control Activity Detected192.168.2.850053192.210.150.268787TCP
                    2025-01-11T05:07:22.845753+010020327761Malware Command and Control Activity Detected192.168.2.850054192.210.150.268787TCP
                    2025-01-11T05:07:24.477253+010020327761Malware Command and Control Activity Detected192.168.2.850055192.210.150.268787TCP
                    2025-01-11T05:07:26.082475+010020327761Malware Command and Control Activity Detected192.168.2.850056192.210.150.268787TCP
                    2025-01-11T05:07:27.690867+010020327761Malware Command and Control Activity Detected192.168.2.850057192.210.150.268787TCP
                    2025-01-11T05:07:29.285462+010020327761Malware Command and Control Activity Detected192.168.2.850058192.210.150.268787TCP
                    2025-01-11T05:07:30.970630+010020327761Malware Command and Control Activity Detected192.168.2.850059192.210.150.268787TCP
                    2025-01-11T05:07:32.564547+010020327761Malware Command and Control Activity Detected192.168.2.850060192.210.150.268787TCP
                    2025-01-11T05:07:34.158192+010020327761Malware Command and Control Activity Detected192.168.2.850061192.210.150.268787TCP
                    2025-01-11T05:07:35.770900+010020327761Malware Command and Control Activity Detected192.168.2.850062192.210.150.268787TCP
                    2025-01-11T05:07:37.349530+010020327761Malware Command and Control Activity Detected192.168.2.850063192.210.150.268787TCP
                    2025-01-11T05:07:38.937735+010020327761Malware Command and Control Activity Detected192.168.2.850064192.210.150.268787TCP
                    2025-01-11T05:07:40.502219+010020327761Malware Command and Control Activity Detected192.168.2.850065192.210.150.268787TCP
                    2025-01-11T05:07:42.077548+010020327761Malware Command and Control Activity Detected192.168.2.850066192.210.150.268787TCP
                    2025-01-11T05:07:43.628872+010020327761Malware Command and Control Activity Detected192.168.2.850067192.210.150.268787TCP
                    2025-01-11T05:07:45.174119+010020327761Malware Command and Control Activity Detected192.168.2.850068192.210.150.268787TCP
                    2025-01-11T05:07:46.736640+010020327761Malware Command and Control Activity Detected192.168.2.850069192.210.150.268787TCP
                    2025-01-11T05:07:48.270494+010020327761Malware Command and Control Activity Detected192.168.2.850070192.210.150.268787TCP
                    2025-01-11T05:07:49.814486+010020327761Malware Command and Control Activity Detected192.168.2.850071192.210.150.268787TCP
                    2025-01-11T05:07:51.346450+010020327761Malware Command and Control Activity Detected192.168.2.850072192.210.150.268787TCP
                    2025-01-11T05:07:52.861411+010020327761Malware Command and Control Activity Detected192.168.2.850073192.210.150.268787TCP
                    2025-01-11T05:07:54.411534+010020327761Malware Command and Control Activity Detected192.168.2.850074192.210.150.268787TCP
                    2025-01-11T05:07:55.939866+010020327761Malware Command and Control Activity Detected192.168.2.850075192.210.150.268787TCP
                    2025-01-11T05:07:57.486352+010020327761Malware Command and Control Activity Detected192.168.2.850076192.210.150.268787TCP
                    2025-01-11T05:07:58.986825+010020327761Malware Command and Control Activity Detected192.168.2.850077192.210.150.268787TCP
                    2025-01-11T05:08:00.533711+010020327761Malware Command and Control Activity Detected192.168.2.850078192.210.150.268787TCP
                    2025-01-11T05:08:02.049192+010020327761Malware Command and Control Activity Detected192.168.2.850079192.210.150.268787TCP
                    2025-01-11T05:08:03.580330+010020327761Malware Command and Control Activity Detected192.168.2.850080192.210.150.268787TCP
                    2025-01-11T05:08:05.095956+010020327761Malware Command and Control Activity Detected192.168.2.850081192.210.150.268787TCP
                    2025-01-11T05:08:06.598411+010020327761Malware Command and Control Activity Detected192.168.2.850082192.210.150.268787TCP
                    2025-01-11T05:08:08.306482+010020327761Malware Command and Control Activity Detected192.168.2.850083192.210.150.268787TCP
                    2025-01-11T05:08:09.830435+010020327761Malware Command and Control Activity Detected192.168.2.850084192.210.150.268787TCP
                    2025-01-11T05:08:11.345810+010020327761Malware Command and Control Activity Detected192.168.2.850085192.210.150.268787TCP
                    2025-01-11T05:08:12.866604+010020327761Malware Command and Control Activity Detected192.168.2.850086192.210.150.268787TCP
                    2025-01-11T05:08:14.362251+010020327761Malware Command and Control Activity Detected192.168.2.850087192.210.150.268787TCP
                    2025-01-11T05:08:15.846370+010020327761Malware Command and Control Activity Detected192.168.2.850088192.210.150.268787TCP
                    2025-01-11T05:08:17.346082+010020327761Malware Command and Control Activity Detected192.168.2.850089192.210.150.268787TCP
                    2025-01-11T05:08:18.845968+010020327761Malware Command and Control Activity Detected192.168.2.850090192.210.150.268787TCP
                    2025-01-11T05:08:20.365269+010020327761Malware Command and Control Activity Detected192.168.2.850091192.210.150.268787TCP
                    2025-01-11T05:08:21.834435+010020327761Malware Command and Control Activity Detected192.168.2.850092192.210.150.268787TCP
                    2025-01-11T05:08:23.302354+010020327761Malware Command and Control Activity Detected192.168.2.850093192.210.150.268787TCP
                    2025-01-11T05:08:24.800675+010020327761Malware Command and Control Activity Detected192.168.2.850094192.210.150.268787TCP
                    2025-01-11T05:08:26.286398+010020327761Malware Command and Control Activity Detected192.168.2.850095192.210.150.268787TCP
                    2025-01-11T05:08:27.751938+010020327761Malware Command and Control Activity Detected192.168.2.850096192.210.150.268787TCP
                    2025-01-11T05:08:29.237327+010020327761Malware Command and Control Activity Detected192.168.2.850097192.210.150.268787TCP
                    2025-01-11T05:08:30.691240+010020327761Malware Command and Control Activity Detected192.168.2.850098192.210.150.268787TCP
                    2025-01-11T05:08:32.174399+010020327761Malware Command and Control Activity Detected192.168.2.850099192.210.150.268787TCP
                    2025-01-11T05:08:33.626903+010020327761Malware Command and Control Activity Detected192.168.2.850100192.210.150.268787TCP
                    2025-01-11T05:08:35.112011+010020327761Malware Command and Control Activity Detected192.168.2.850101192.210.150.268787TCP
                    2025-01-11T05:08:36.852753+010020327761Malware Command and Control Activity Detected192.168.2.850102192.210.150.268787TCP
                    2025-01-11T05:08:38.330184+010020327761Malware Command and Control Activity Detected192.168.2.850103192.210.150.268787TCP
                    2025-01-11T05:08:40.770388+010020327761Malware Command and Control Activity Detected192.168.2.850104192.210.150.268787TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000004.00000002.1590336253.0000000001A3E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["150.26:8787:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R1T905", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeReversingLabs: Detection: 76%
                    Multi AV Scanner detection for submitted file
                    Source: C2R7VV2QmG.exeVirustotal: Detection: 78%Perma Link
                    Source: C2R7VV2QmG.exeReversingLabs: Detection: 76%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 2.2.lecheries.exe.3b20000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.4160000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.3b20000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.4160000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3909263526.0000000001430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909143044.0000000001336000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909719441.0000000003FDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909055297.000000000128C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1590336253.0000000001A3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909175397.000000000137D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 4152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: C2R7VV2QmG.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,2_2_0043293A
                    Source: lecheries.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 2.2.lecheries.exe.3b20000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.4160000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.3b20000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.4160000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 4152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 6676, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00406764 _wcslen,CoGetObject,2_2_00406764
                    Source: C2R7VV2QmG.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0055445A
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055C6D1 FindFirstFileW,FindClose,0_2_0055C6D1
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0055C75C
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0055EF95
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0055F0F2
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0055F3F3
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005537EF
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00553B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00553B12
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0055BCBC
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040B335
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,2_2_0041B42F
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040B53A
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0044D5E9 FindFirstFileExA,2_2_0044D5E9
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,2_2_004089A9
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00406AC2 FindFirstFileW,FindNextFileW,2_2_00406AC2
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,2_2_00407A8C
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00418C69
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,2_2_00408DA7
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0082445A
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082C6D1 FindFirstFileW,FindClose,2_2_0082C6D1
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0082C75C
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0082EF95
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0082F0F2
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0082F3F3
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_008237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_008237EF
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00823B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00823B12
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0082BCBC
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00406F06

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49736 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49708 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49713 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49709 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49717 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49720 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49727 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49733 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49714 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49704 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49718 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49724 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49735 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49731 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49780 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49729 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49725 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49730 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49732 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49721 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49716 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49711 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49737 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49719 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49734 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49726 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49707 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49723 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49811 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49706 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49763 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49715 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49705 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49722 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49794 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49744 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49873 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49886 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49826 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49858 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49902 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49917 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49842 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49960 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49933 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49976 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50028 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50031 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50026 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50042 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50033 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50045 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50034 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50046 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50043 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50051 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50036 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50050 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50038 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50055 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50048 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50056 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50072 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50054 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50064 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50035 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50066 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50062 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50079 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50078 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50057 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50089 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50030 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50092 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50059 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50093 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50090 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50103 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50097 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50086 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50058 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50077 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50073 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50099 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50080 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50104 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50083 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49987 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50095 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50065 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50067 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50039 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50041 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50070 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50049 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50044 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50094 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50029 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50061 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50071 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49949 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50082 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50027 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50060 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50069 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50085 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50084 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50052 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50088 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50074 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50081 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50032 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50101 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50037 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50040 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50016 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50091 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50098 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50096 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50003 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50024 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50087 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50100 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50075 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50053 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50068 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50076 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50063 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50047 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:50102 -> 192.210.150.26:8787
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 150.26
                    Source: Joe Sandbox ViewIP Address: 192.210.150.26 192.210.150.26
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005622EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_005622EE
                    Source: lecheries.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: lecheries.exe, 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, lecheries.exe, 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000002_2_004099E4
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00564164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00564164
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00564164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00564164
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_004159C6
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00834164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00834164
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00563F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00563F66
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0055001C
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0057CABC
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0084CABC
                    Source: Yara matchFile source: 2.2.lecheries.exe.3b20000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.4160000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.3b20000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.4160000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 4152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 6676, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 2.2.lecheries.exe.3b20000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.4160000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.3b20000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.4160000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3909263526.0000000001430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909143044.0000000001336000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909719441.0000000003FDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909055297.000000000128C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1590336253.0000000001A3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909175397.000000000137D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 4152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0041BB77 SystemParametersInfoW,2_2_0041BB77

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.lecheries.exe.3b20000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.lecheries.exe.3b20000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.lecheries.exe.3b20000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 4.2.lecheries.exe.4160000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 4.2.lecheries.exe.4160000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 4.2.lecheries.exe.4160000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 4.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 4.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 4.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.lecheries.exe.3b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.lecheries.exe.3b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.lecheries.exe.3b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 4.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 4.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 4.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 4.2.lecheries.exe.4160000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 4.2.lecheries.exe.4160000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 4.2.lecheries.exe.4160000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: Process Memory Space: lecheries.exe PID: 4152, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: lecheries.exe PID: 6676, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: This is a third-party compiled AutoIt script.0_2_004F3B3A
                    Source: C2R7VV2QmG.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: C2R7VV2QmG.exe, 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9f8b92ed-4
                    Source: C2R7VV2QmG.exe, 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_8d18c6b4-b
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: This is a third-party compiled AutoIt script.2_2_007C3B3A
                    Source: lecheries.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: lecheries.exe, 00000002.00000002.3908629214.0000000000874000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_bcacbb06-1
                    Source: lecheries.exe, 00000002.00000002.3908629214.0000000000874000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_125155b8-8
                    Source: lecheries.exe, 00000004.00000002.1589624829.0000000000874000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8ee1bb55-7
                    Source: lecheries.exe, 00000004.00000002.1589624829.0000000000874000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_bd9c30d1-4
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_004F3633
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_0057C1AC
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_0057C498
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057C57D SendMessageW,NtdllDialogWndProc_W,0_2_0057C57D
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_0057C5FE
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057C860 NtdllDialogWndProc_W,0_2_0057C860
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057C88F NtdllDialogWndProc_W,0_2_0057C88F
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057C8BE NtdllDialogWndProc_W,0_2_0057C8BE
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057C909 NtdllDialogWndProc_W,0_2_0057C909
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057C93E ClientToScreen,NtdllDialogWndProc_W,0_2_0057C93E
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057CA7C GetWindowLongW,NtdllDialogWndProc_W,0_2_0057CA7C
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0057CABC
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74B1C8D0,NtdllDialogWndProc_W,0_2_004F1287
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_004F1290
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057D3B8 NtdllDialogWndProc_W,0_2_0057D3B8
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_0057D43E
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F167D NtdllDialogWndProc_W,0_2_004F167D
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F16DE GetParent,NtdllDialogWndProc_W,0_2_004F16DE
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F16B5 NtdllDialogWndProc_W,0_2_004F16B5
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057D78C NtdllDialogWndProc_W,0_2_0057D78C
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F189B NtdllDialogWndProc_W,0_2_004F189B
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057BC5D NtdllDialogWndProc_W,CallWindowProcW,0_2_0057BC5D
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057BF30 NtdllDialogWndProc_W,0_2_0057BF30
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_0057BF8C
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,2_2_0041ACC1
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,2_2_0041ACED
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007C3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_007C3633
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_0084C1AC
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_0084C498
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_0084C5FE
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084C57D SendMessageW,NtdllDialogWndProc_W,2_2_0084C57D
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084C88F NtdllDialogWndProc_W,2_2_0084C88F
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084C8BE NtdllDialogWndProc_W,2_2_0084C8BE
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084C860 NtdllDialogWndProc_W,2_2_0084C860
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084C909 NtdllDialogWndProc_W,2_2_0084C909
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084C93E ClientToScreen,NtdllDialogWndProc_W,2_2_0084C93E
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0084CABC
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084CA7C GetWindowLongW,NtdllDialogWndProc_W,2_2_0084CA7C
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007C1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,2_2_007C1290
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007C1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74B1C8D0,NtdllDialogWndProc_W,2_2_007C1287
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084D3B8 NtdllDialogWndProc_W,2_2_0084D3B8
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,2_2_0084D43E
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007C167D NtdllDialogWndProc_W,2_2_007C167D
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007C16DE GetParent,NtdllDialogWndProc_W,2_2_007C16DE
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007C16B5 NtdllDialogWndProc_W,2_2_007C16B5
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084D78C NtdllDialogWndProc_W,2_2_0084D78C
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007C189B NtdllDialogWndProc_W,2_2_007C189B
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084BC5D NtdllDialogWndProc_W,CallWindowProcW,2_2_0084BC5D
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_0084BF8C
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084BF30 NtdllDialogWndProc_W,2_2_0084BF30
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0055A1EF
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00548310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74C65590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00548310
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005551BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_005551BD
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,2_2_004158B9
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_008251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_008251BD
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0051D9750_2_0051D975
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004FFCE00_2_004FFCE0
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005121C50_2_005121C5
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005262D20_2_005262D2
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005703DA0_2_005703DA
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0052242E0_2_0052242E
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005125FA0_2_005125FA
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0054E6160_2_0054E616
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005066E10_2_005066E1
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004FE6A00_2_004FE6A0
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0052878F0_2_0052878F
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005708570_2_00570857
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005268440_2_00526844
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005088080_2_00508808
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005588890_2_00558889
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0051CB210_2_0051CB21
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00526DB60_2_00526DB6
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00506F9E0_2_00506F9E
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005030300_2_00503030
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0051F1D90_2_0051F1D9
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005131870_2_00513187
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F12870_2_004F1287
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005114840_2_00511484
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005055200_2_00505520
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005176960_2_00517696
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005057600_2_00505760
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005119780_2_00511978
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00529AB50_2_00529AB5
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00577DDB0_2_00577DDB
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00511D900_2_00511D90
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0051BDA60_2_0051BDA6
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004FDF000_2_004FDF00
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00503FE00_2_00503FE0
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_017C5A780_2_017C5A78
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0041D0712_2_0041D071
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_004520D22_2_004520D2
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0043D0982_2_0043D098
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_004371502_2_00437150
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_004361AA2_2_004361AA
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_004262542_2_00426254
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_004313772_2_00431377
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0043651C2_2_0043651C
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0041E5DF2_2_0041E5DF
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0044C7392_2_0044C739
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_004367C62_2_004367C6
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_004267CB2_2_004267CB
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0043C9DD2_2_0043C9DD
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00432A492_2_00432A49
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00436A8D2_2_00436A8D
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0043CC0C2_2_0043CC0C
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00436D482_2_00436D48
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00434D222_2_00434D22
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00426E732_2_00426E73
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00440E202_2_00440E20
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0043CE3B2_2_0043CE3B
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00412F452_2_00412F45
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00452F002_2_00452F00
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00426FAD2_2_00426FAD
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007CE6A02_2_007CE6A0
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007ED9752_2_007ED975
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007CFCE02_2_007CFCE0
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007E21C52_2_007E21C5
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007F62D22_2_007F62D2
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_008403DA2_2_008403DA
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007F242E2_2_007F242E
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007E25FA2_2_007E25FA
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0081E6162_2_0081E616
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007D66E12_2_007D66E1
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007F878F2_2_007F878F
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_008288892_2_00828889
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007F68442_2_007F6844
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007D88082_2_007D8808
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_008408572_2_00840857
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007ECB212_2_007ECB21
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007F6DB62_2_007F6DB6
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007D6F9E2_2_007D6F9E
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007D30302_2_007D3030
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007EF1D92_2_007EF1D9
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007E31872_2_007E3187
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007C12872_2_007C1287
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007E14842_2_007E1484
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007D55202_2_007D5520
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007E76962_2_007E7696
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007D57602_2_007D5760
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007E19782_2_007E1978
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007F9AB52_2_007F9AB5
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00847DDB2_2_00847DDB
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007EBDA62_2_007EBDA6
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007E1D902_2_007E1D90
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007CDF002_2_007CDF00
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007D3FE02_2_007D3FE0
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_013354582_2_01335458
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: String function: 007C7DE1 appears 35 times
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: String function: 004020E7 appears 40 times
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: String function: 007E8900 appears 42 times
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: String function: 00401F66 appears 50 times
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: String function: 004338A5 appears 41 times
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: String function: 007E0AE3 appears 70 times
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: String function: 00433FB0 appears 55 times
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: String function: 00510AE3 appears 70 times
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: String function: 004F7DE1 appears 36 times
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: String function: 00518900 appears 42 times
                    Source: C2R7VV2QmG.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 2.2.lecheries.exe.3b20000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.lecheries.exe.3b20000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.lecheries.exe.3b20000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 4.2.lecheries.exe.4160000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 4.2.lecheries.exe.4160000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 4.2.lecheries.exe.4160000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 4.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 4.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 4.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.lecheries.exe.3b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.lecheries.exe.3b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.lecheries.exe.3b20000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 4.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 4.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 4.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 4.2.lecheries.exe.4160000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 4.2.lecheries.exe.4160000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 4.2.lecheries.exe.4160000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: Process Memory Space: lecheries.exe PID: 4152, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: lecheries.exe PID: 6676, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@6/7@0/1
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055A06A GetLastError,FormatMessageW,0_2_0055A06A
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005481CB AdjustTokenPrivileges,CloseHandle,0_2_005481CB
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005487E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_005487E1
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_00416AB7
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_008181CB AdjustTokenPrivileges,CloseHandle,2_2_008181CB
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_008187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_008187E1
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0055B333
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0056EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0056EE0D
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0055C397
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_004F4E89
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_00419BC4
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeFile created: C:\Users\user\AppData\Local\differencesJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-R1T905
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeFile created: C:\Users\user\AppData\Local\Temp\autE1FD.tmpJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs"
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C2R7VV2QmG.exeVirustotal: Detection: 78%
                    Source: C2R7VV2QmG.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeFile read: C:\Users\user\Desktop\C2R7VV2QmG.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\C2R7VV2QmG.exe "C:\Users\user\Desktop\C2R7VV2QmG.exe"
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeProcess created: C:\Users\user\AppData\Local\differences\lecheries.exe "C:\Users\user\Desktop\C2R7VV2QmG.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\differences\lecheries.exe "C:\Users\user\AppData\Local\differences\lecheries.exe"
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeProcess created: C:\Users\user\AppData\Local\differences\lecheries.exe "C:\Users\user\Desktop\C2R7VV2QmG.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\differences\lecheries.exe "C:\Users\user\AppData\Local\differences\lecheries.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00641A40 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00641A40
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004FC4C6 push A3004FBAh; retn 004Fh0_2_004FC50D
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00518945 push ecx; ret 0_2_00518958
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F2F12 push es; retf 0_2_004F2F13
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0057F808 push ds; ret 0_2_0057F80A
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_004567E0 push eax; ret 2_2_004567FE
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0045B9DD push esi; ret 2_2_0045B9E6
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00455EAF push ecx; ret 2_2_00455EC2
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00433FF6 push ecx; ret 2_2_00434009
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007E8945 push ecx; ret 2_2_007E8958
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0084F808 push ds; ret 2_2_0084F80A
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00406128 ShellExecuteW,URLDownloadToFileW,2_2_00406128
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeFile created: C:\Users\user\AppData\Local\differences\lecheries.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_00419BC4
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004F48D7
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00575376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00575376
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_007C48D7
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00845376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00845376
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00513187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00513187
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0040E54F Sleep,ExitProcess,2_2_0040E54F
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,2_2_004198C2
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeWindow / User API: threadDelayed 2307Jump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeWindow / User API: threadDelayed 7248Jump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeWindow / User API: foregroundWindowGot 1737Jump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeAPI coverage: 4.4 %
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeAPI coverage: 6.9 %
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exe TID: 3272Thread sleep count: 147 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exe TID: 3272Thread sleep time: -73500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exe TID: 3044Thread sleep count: 2307 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exe TID: 3044Thread sleep time: -6921000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exe TID: 3044Thread sleep count: 7248 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exe TID: 3044Thread sleep time: -21744000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0055445A
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055C6D1 FindFirstFileW,FindClose,0_2_0055C6D1
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0055C75C
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0055EF95
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0055F0F2
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0055F3F3
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005537EF
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00553B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00553B12
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0055BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0055BCBC
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040B335
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,2_2_0041B42F
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040B53A
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0044D5E9 FindFirstFileExA,2_2_0044D5E9
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,2_2_004089A9
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00406AC2 FindFirstFileW,FindNextFileW,2_2_00406AC2
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,2_2_00407A8C
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00418C69
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,2_2_00408DA7
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0082445A
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082C6D1 FindFirstFileW,FindClose,2_2_0082C6D1
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0082C75C
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0082EF95
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0082F0F2
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0082F3F3
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_008237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_008237EF
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00823B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00823B12
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0082BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0082BCBC
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00406F06
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004F49A0
                    Source: lecheries.exe, 00000002.00000002.3909143044.0000000001336000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&kM;
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00563F09 BlockInput,0_2_00563F09
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_004F3B3A
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00525A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00525A7C
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00641A40 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00641A40
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_017C42B8 mov eax, dword ptr fs:[00000030h]0_2_017C42B8
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_017C42A6 mov eax, dword ptr fs:[00000030h]0_2_017C42A6
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_017C5968 mov eax, dword ptr fs:[00000030h]0_2_017C5968
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_017C5908 mov eax, dword ptr fs:[00000030h]0_2_017C5908
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00442554 mov eax, dword ptr fs:[00000030h]2_2_00442554
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_01335348 mov eax, dword ptr fs:[00000030h]2_2_01335348
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_013352E8 mov eax, dword ptr fs:[00000030h]2_2_013352E8
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_01333C98 mov eax, dword ptr fs:[00000030h]2_2_01333C98
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_01333C86 mov eax, dword ptr fs:[00000030h]2_2_01333C86
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005480A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,0_2_005480A9
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0051A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0051A155
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0051A124 SetUnhandledExceptionFilter,0_2_0051A124
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00434168
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0043A65D
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00433B44
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00433CD7 SetUnhandledExceptionFilter,2_2_00433CD7
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007EA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_007EA155
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_007EA124 SetUnhandledExceptionFilter,2_2_007EA124
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe2_2_00410F36
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_005487B1 LogonUserW,0_2_005487B1
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_004F3B3A
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004F48D7
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00554C53 mouse_event,0_2_00554C53
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\differences\lecheries.exe "C:\Users\user\AppData\Local\differences\lecheries.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00547CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00547CAF
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0054874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0054874B
                    Source: C2R7VV2QmG.exe, 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmp, lecheries.exe, 00000002.00000002.3908629214.0000000000874000.00000040.00000001.01000000.00000004.sdmp, lecheries.exe, 00000004.00000002.1589624829.0000000000874000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: lecheries.exe, 00000002.00000002.3909143044.0000000001336000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0.26:8787
                    Source: lecheries.exe, 00000002.00000002.3909263526.0000000001430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: lecheries.exe, 00000002.00000002.3909143044.0000000001336000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagersInfo
                    Source: C2R7VV2QmG.exe, lecheries.exeBinary or memory string: Shell_TrayWnd
                    Source: lecheries.exe, 00000002.00000002.3909143044.0000000001336000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager05\7
                    Source: lecheries.exe, 00000002.00000002.3909143044.0000000001336000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager05\
                    Source: lecheries.exe, 00000002.00000002.3909143044.0000000001336000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerert|
                    Source: lecheries.exe, 00000002.00000002.3909143044.0000000001336000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: lecheries.exe, 00000002.00000002.3909055297.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, logs.dat.2.drBinary or memory string: [Program Manager]
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_0051862B cpuid 0_2_0051862B
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: EnumSystemLocalesW,2_2_004470AE
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: GetLocaleInfoW,2_2_004510BA
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_004511E3
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: GetLocaleInfoW,2_2_004512EA
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_004513B7
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: GetLocaleInfoW,2_2_00447597
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: GetLocaleInfoA,2_2_0040E679
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00450A7F
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: EnumSystemLocalesW,2_2_00450CF7
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: EnumSystemLocalesW,2_2_00450D42
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: EnumSystemLocalesW,2_2_00450DDD
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00450E6A
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00524E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00524E87
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00531E06 GetUserNameW,0_2_00531E06
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00523F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00523F3A
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_004F49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004F49A0
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 2.2.lecheries.exe.3b20000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.4160000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.3b20000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.4160000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3909263526.0000000001430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909143044.0000000001336000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909719441.0000000003FDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909055297.000000000128C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1590336253.0000000001A3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909175397.000000000137D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 4152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_0040B21B
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_0040B335
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: \key3.db2_2_0040B335
                    Source: lecheries.exeBinary or memory string: WIN_81
                    Source: lecheries.exeBinary or memory string: WIN_XP
                    Source: lecheries.exeBinary or memory string: WIN_XPe
                    Source: lecheries.exeBinary or memory string: WIN_VISTA
                    Source: lecheries.exeBinary or memory string: WIN_7
                    Source: lecheries.exeBinary or memory string: WIN_8
                    Source: lecheries.exe, 00000004.00000002.1589624829.0000000000874000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905Jump to behavior
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905Jump to behavior
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 2.2.lecheries.exe.3b20000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.4160000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.3b20000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.lecheries.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lecheries.exe.4160000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3909263526.0000000001430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909143044.0000000001336000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909719441.0000000003FDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909055297.000000000128C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1590336253.0000000001A3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3909175397.000000000137D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 4152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lecheries.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: cmd.exe2_2_00405042
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00566283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00566283
                    Source: C:\Users\user\Desktop\C2R7VV2QmG.exeCode function: 0_2_00566747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00566747
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00836283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00836283
                    Source: C:\Users\user\AppData\Local\differences\lecheries.exeCode function: 2_2_00836747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00836747

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		2
                    Native API                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		11
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol121
                    Input Capture                    		2
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution                    		2
                    Valid Accounts                    		1
                    Bypass User Account Control                    		21
                    Obfuscated Files or Information                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		1
                    Remote Access Software                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron1
                    Windows Service                    		2
                    Valid Accounts                    		1
                    Software Packing                    		NTDS3
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture1
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchd2
                    Registry Run Keys / Startup Folder                    		21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		LSA Secrets26
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Windows Service                    		1
                    Bypass User Account Control                    		Cached Domain Credentials131
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items22
                    Process Injection                    		1
                    Masquerading                    		DCSync1
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		Proc Filesystem2
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadow11
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                    Access Token Manipulation                    		Network Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd22
                    Process Injection                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    C2R7VV2QmG.exe79%VirustotalBrowse
                    C2R7VV2QmG.exe76%ReversingLabsWin32.Trojan.AutoitInject
                    C2R7VV2QmG.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\differences\lecheries.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\differences\lecheries.exe76%ReversingLabsWin32.Trojan.AutoitInject

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    150.260%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    150.26true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gplecheries.exefalse
                      		high
                      http://geoplugin.net/json.gp/Clecheries.exe, 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, lecheries.exe, 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, lecheries.exe, 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        192.210.150.26
                        		unknownUnited States
                        		36352AS-COLOCROSSINGUStrue

                        General Information

                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1588752
                        Start date and time:2025-01-11 05:03:33 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 9m 27s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:9
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:C2R7VV2QmG.exe
                        renamed because original name is a hash value
                        Original Sample Name:4108277feb47e70ea76dea706b8a8e7ed1dc94575c1ed200e78073b4d97185a2.exe
                        Detection:MAL
                        Classification:mal100.rans.troj.spyw.expl.evad.winEXE@6/7@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 56
                        • Number of non-executed functions: 278
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded IPs from analysis (whitelisted): 4.245.163.56, 20.12.23.50, 13.107.246.45
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        05:04:35AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs
                        23:05:05API Interceptor6065373x Sleep call for process: lecheries.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        192.210.150.268kjlHXmbAY.exeGet hashmaliciousRemcosBrowse
                          NssBkEQKsI.exeGet hashmaliciousRemcosBrowse
                            l1QC9H0SNR.exeGet hashmaliciousRemcosBrowse
                              bwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                                FACTURA.xlsxGet hashmaliciousRemcosBrowse
                                  7056ZCiFdE.exeGet hashmaliciousRemcosBrowse
                                    uIarPolvHR.exeGet hashmaliciousRemcosBrowse
                                      IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                        z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            AS-COLOCROSSINGUS8kjlHXmbAY.exeGet hashmaliciousRemcosBrowse
                                            • 192.210.150.26
                                            OKkUGRkZV7.exeGet hashmaliciousRemcosBrowse
                                            • 192.3.64.152
                                            NssBkEQKsI.exeGet hashmaliciousRemcosBrowse
                                            • 192.210.150.26
                                            l1QC9H0SNR.exeGet hashmaliciousRemcosBrowse
                                            • 192.210.150.26
                                            MLxloAVuCZ.exeGet hashmaliciousRemcosBrowse
                                            • 192.3.64.152
                                            bwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                                            • 192.210.150.26
                                            Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                            • 192.3.27.144
                                            Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                            • 192.3.27.144
                                            Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                            • 192.3.27.144
                                            sh4.elfGet hashmaliciousMiraiBrowse
                                            • 23.95.117.229

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\remcos\logs.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\differences\lecheries.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):204
                                            Entropy (8bit):3.3414298427036524
                                            Encrypted:false
                                            SSDEEP:3:rglsOlfXl8Tlf6fcl5JWRal2Jl+7R0DAlBG45klovDl64oojklovDl6v:Mls6zfU5YcIeeDAlOWA41gWAv
                                            MD5:F5C03DD53234D8AD5ABE30FABE6FD0D4
                                            SHA1:1A840404907CF5CEF3A63B0973B37606308B915F
                                            SHA-256:45C59F074D5CCB2387EB0570D729BF9AB29B553A1AC5E161582F867F4FE82AA5
                                            SHA-512:A14AB21E39D8D357936E228840D2B4BBA3B7025C5C294388B79FCE43B86D85400B212F638AEFD5F34C9BB3868E867BCA99E2AECCD01B04F44099568C37EBED6D
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                            Reputation:low
                                            Preview:....[.2.0.2.5./.0.1./.1.0. .2.3.:.0.4.:.3.2. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                            C:\Users\user\AppData\Local\Temp\aut1AA1.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\differences\lecheries.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):408930
                                            Entropy (8bit):7.978691129569242
                                            Encrypted:false
                                            SSDEEP:12288:9ngGvH0h2kAesLkEMbM4wnWnkeG9AqlrtzkJh+mTF:drc858EMbM4CE1qlZzEp
                                            MD5:3BB2DEC320628996095338A819DD9B7B
                                            SHA1:3A4F2F25AB019DBBF21FD510807811D718833DE0
                                            SHA-256:26AE89457FF05DF72B7EDE7450FFAE2185018168E42C1501CD2779D84528372B
                                            SHA-512:69D09653FF553578D0DD22FB6260471A495CD2CAC708A58E5C828319F7A294EB71089AC43176AC403E0A4C77DF1131E8F72AB718BD9D51B54D39DBDC58DC2A46
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06........:..mF.R.6.H....I...x..+....ng...L.L.U.~*4..8..........Hh....SW..j..|.M]..b.J..}M..&2h.r.e.Wd....U.E....~........zw.K..wT.F......G.D....G.T..v9h.W..Aw.....`.Uwx(.W_...8...CM..n.0.V....q.0O...h.q?7.~....s..\..Ay..3....Wx.k. .......@..T..0.4....]&.k.*.8.wo....v+4...eV...Z]21[...p.,.\.4%...r.F.V..Jub.6.L..).f..=...L....g6.l)t.Ef.H..d.....$`*].t......4.W..H.......;7p.C;7._.d.m.6kX....<L.......H...q....GH.....8..!..%t..f..O..&u..biT.N+ ...eX..s._.sY.O)......D....In..@A...i...:..........S..._...*..d.&..sk.....mF.Yg...wH..!@ .........C...! T.X.o....Y!u...1.K.rxL.c.R.p..>}..S:.:.b.[..ntn...;..s..=..6.Q(.....4....H..a...:I=.aX.ez.......\...{.\.S:..%n.j.....E..8..-....Z..4v..j.........n..+2M...X..-.:\W...Y..=..sF.H..H.3aH...6.-j...Y.*I.....T.K..M...T.n.f.[.W.*L....L.3.L.a..E.4.j......zE2.....J.g.H.R.I.&.....Sh...........W@-.....8......[.j...:..[V....$..[..(..V..[3:g.as..{.....P.Hc...B-5.Zq.Z.d.....Y0..~...:..lb..+.....[Z.d.......p.{.j.'.p..E..Nd...2.<L

                                            C:\Users\user\AppData\Local\Temp\autE1FD.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\C2R7VV2QmG.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):408930
                                            Entropy (8bit):7.978691129569242
                                            Encrypted:false
                                            SSDEEP:12288:9ngGvH0h2kAesLkEMbM4wnWnkeG9AqlrtzkJh+mTF:drc858EMbM4CE1qlZzEp
                                            MD5:3BB2DEC320628996095338A819DD9B7B
                                            SHA1:3A4F2F25AB019DBBF21FD510807811D718833DE0
                                            SHA-256:26AE89457FF05DF72B7EDE7450FFAE2185018168E42C1501CD2779D84528372B
                                            SHA-512:69D09653FF553578D0DD22FB6260471A495CD2CAC708A58E5C828319F7A294EB71089AC43176AC403E0A4C77DF1131E8F72AB718BD9D51B54D39DBDC58DC2A46
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06........:..mF.R.6.H....I...x..+....ng...L.L.U.~*4..8..........Hh....SW..j..|.M]..b.J..}M..&2h.r.e.Wd....U.E....~........zw.K..wT.F......G.D....G.T..v9h.W..Aw.....`.Uwx(.W_...8...CM..n.0.V....q.0O...h.q?7.~....s..\..Ay..3....Wx.k. .......@..T..0.4....]&.k.*.8.wo....v+4...eV...Z]21[...p.,.\.4%...r.F.V..Jub.6.L..).f..=...L....g6.l)t.Ef.H..d.....$`*].t......4.W..H.......;7p.C;7._.d.m.6kX....<L.......H...q....GH.....8..!..%t..f..O..&u..biT.N+ ...eX..s._.sY.O)......D....In..@A...i...:..........S..._...*..d.&..sk.....mF.Yg...wH..!@ .........C...! T.X.o....Y!u...1.K.rxL.c.R.p..>}..S:.:.b.[..ntn...;..s..=..6.Q(.....4....H..a...:I=.aX.ez.......\...{.\.S:..%n.j.....E..8..-....Z..4v..j.........n..+2M...X..-.:\W...Y..=..sF.H..H.3aH...6.-j...Y.*I.....T.K..M...T.n.f.[.W.*L....L.3.L.a..E.4.j......zE2.....J.g.H.R.I.&.....Sh...........W@-.....8......[.j...:..[V....$..[..(..V..[3:g.as..{.....P.Hc...B-5.Zq.Z.d.....Y0..~...:..lb..+.....[Z.d.......p.{.j.'.p..E..Nd...2.<L

                                            C:\Users\user\AppData\Local\Temp\autE587.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\differences\lecheries.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):408930
                                            Entropy (8bit):7.978691129569242
                                            Encrypted:false
                                            SSDEEP:12288:9ngGvH0h2kAesLkEMbM4wnWnkeG9AqlrtzkJh+mTF:drc858EMbM4CE1qlZzEp
                                            MD5:3BB2DEC320628996095338A819DD9B7B
                                            SHA1:3A4F2F25AB019DBBF21FD510807811D718833DE0
                                            SHA-256:26AE89457FF05DF72B7EDE7450FFAE2185018168E42C1501CD2779D84528372B
                                            SHA-512:69D09653FF553578D0DD22FB6260471A495CD2CAC708A58E5C828319F7A294EB71089AC43176AC403E0A4C77DF1131E8F72AB718BD9D51B54D39DBDC58DC2A46
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06........:..mF.R.6.H....I...x..+....ng...L.L.U.~*4..8..........Hh....SW..j..|.M]..b.J..}M..&2h.r.e.Wd....U.E....~........zw.K..wT.F......G.D....G.T..v9h.W..Aw.....`.Uwx(.W_...8...CM..n.0.V....q.0O...h.q?7.~....s..\..Ay..3....Wx.k. .......@..T..0.4....]&.k.*.8.wo....v+4...eV...Z]21[...p.,.\.4%...r.F.V..Jub.6.L..).f..=...L....g6.l)t.Ef.H..d.....$`*].t......4.W..H.......;7p.C;7._.d.m.6kX....<L.......H...q....GH.....8..!..%t..f..O..&u..biT.N+ ...eX..s._.sY.O)......D....In..@A...i...:..........S..._...*..d.&..sk.....mF.Yg...wH..!@ .........C...! T.X.o....Y!u...1.K.rxL.c.R.p..>}..S:.:.b.[..ntn...;..s..=..6.Q(.....4....H..a...:I=.aX.ez.......\...{.\.S:..%n.j.....E..8..-....Z..4v..j.........n..+2M...X..-.:\W...Y..=..sF.H..H.3aH...6.-j...Y.*I.....T.K..M...T.n.f.[.W.*L....L.3.L.a..E.4.j......zE2.....J.g.H.R.I.&.....Sh...........W@-.....8......[.j...:..[V....$..[..(..V..[3:g.as..{.....P.Hc...B-5.Zq.Z.d.....Y0..~...:..lb..+.....[Z.d.......p.{.j.'.p..E..Nd...2.<L

                                            C:\Users\user\AppData\Local\Temp\intemeration

                                            Download File
                                            Process:C:\Users\user\Desktop\C2R7VV2QmG.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):492544
                                            Entropy (8bit):7.563333211926921
                                            Encrypted:false
                                            SSDEEP:12288:LUzIIaTHsl60tkhv/uSKOx+2GNbMbrxK4Wj:LUzQTHekdWpY+N2K4Wj
                                            MD5:B330D054750C618EA270434FEC0B3A6F
                                            SHA1:D485934828495F688A5D844905B8AEB0E257E40C
                                            SHA-256:BD39655DC196287079FA8F554A938E2D77BC50E8987E974BFEB2795AB7099F9C
                                            SHA-512:5CF375FD136AA44D990DFF6EBC68FC87C387B871F7712CBA40E9F2432407CCBA42DF6E676B2BFE17350A51912326CA9EE3697ADF42D7672EA22E40D3237F3A3D
                                            Malicious:false
                                            Reputation:low
                                            Preview:...3[16F4KL8..XH.X16F0KLxYLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F8JL8WS.F3.8.g.J..x.0!@xAD)W9-Uy/9&]7E.$Uk>M7l1&..~ef]$(]wAUB.X16F0KL.p...{.....p..T....~..G..._...T........|......`.U.........................h...y....... y...x..+xj..{..%g..p...!P0.~..KL8YLXH3.t6F|JI82.|/3X16F0KL.YNYC2V!6&5KL.[LXH3X..E0K\8YL(M3X1vF0[L8YNXH6X06F0KL=YMXH3X16.7KL<YLXH3X36F.KL(YLHH3X1&F0[L8YLXH#X16F0KL8YLXh.^12G0KLX^L..3X16F0KL8YLXH3X16F0.K8.wXH#.76~0KL8YLXH3X16F0KL8YL..5X)6F0..>Y.XH3X16F0KL8Y<]H.\16F0KL8YLXH3X16F0KL8YLXH3X.B#H?L8YQ.M3X!6F0+I8YHXH3X16F0KL8YLXh3XQ.4T*8YYLX.2X1FC0K.9YL<M3X16F0KL8YLXHsX1vhT*8YYLX$nX16F7KL6YLX.5X16F0KL8YLXH3.16..9?J:LXH..16FPLL8.LXH.^16F0KL8YLXH3Xq6Fpe>]5#;H3..6F0.K8YpXH3.66F0KL8YLXH3X1vF0.L8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8YLXH3X16F0KL8

                                            C:\Users\user\AppData\Local\differences\lecheries.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\C2R7VV2QmG.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                            Category:dropped
                                            Size (bytes):850432
                                            Entropy (8bit):7.962689032892868
                                            Encrypted:false
                                            SSDEEP:24576:Prl6kD68JmlotQfL4boOtmYOaarnTDRTf:zl328U2yfkmmarnTDR
                                            MD5:AC26BAF5B7B03AA4046B2C2413A4C2C2
                                            SHA1:4CC0593D71B377A7B5FFC9FA578DCB8DD374F4EA
                                            SHA-256:4108277FEB47E70EA76DEA706B8A8E7ED1DC94575C1ED200E78073B4D97185A2
                                            SHA-512:DF6A508CF59C7B08DBF8C238E9E41C4D5940336176BB0E5E0A0F11A3FAB213831C532C86E96EC401EC94692010A6663BACB54F2E9FBD212B99DEFC9E97625798
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 76%
                                            Reputation:low
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L....]Mg.........."......`..........@........ ....@.......................................@...@.......@.........................$.... ..............................................................$...H...........................................UPX0....................................UPX1.....`.......^..................@....rsrc........ .......b..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs

                                            Download File
                                            Process:C:\Users\user\AppData\Local\differences\lecheries.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):284
                                            Entropy (8bit):3.377335200408234
                                            Encrypted:false
                                            SSDEEP:6:DMM8lfm3OOQdUfclwL1UEZ+lX1Al50qGZlVakm6nriIM8lfQVn:DsO+vNlwBQ1A5EbQ4mA2n
                                            MD5:76A184BE082878FAEA897806FB5DFFC3
                                            SHA1:0BFE46BB657A002307C0B97D5A44C9FEE5125852
                                            SHA-256:A4E4F4C6AFB6588BB31D3FD903BFBF1C2B1CC27E8ADBD954FC0C9E38C6569DE3
                                            SHA-512:F8D049A4B232A8E9A325BE748C431A72645D174880FD236871F75E04AE852E0FE23A08B2B433D3A3A5E9F48A2F44E2F5E151785D4503C1BBBCF0350B7BF7C69A
                                            Malicious:true
                                            Reputation:low
                                            Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.f.f.e.r.e.n.c.e.s.\.l.e.c.h.e.r.i.e.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                            Entropy (8bit):7.962689032892868
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.39%
                                            • UPX compressed Win32 Executable (30571/9) 0.30%
                                            • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            File name:C2R7VV2QmG.exe
                                            File size:850'432 bytes
                                            MD5:ac26baf5b7b03aa4046b2c2413a4c2c2
                                            SHA1:4cc0593d71b377a7b5ffc9fa578dcb8dd374f4ea
                                            SHA256:4108277feb47e70ea76dea706b8a8e7ed1dc94575c1ed200e78073b4d97185a2
                                            SHA512:df6a508cf59c7b08dbf8c238e9e41c4d5940336176bb0e5e0a0f11a3fab213831c532c86e96ec401ec94692010a6663bacb54f2e9fbd212b99defc9e97625798
                                            SSDEEP:24576:Prl6kD68JmlotQfL4boOtmYOaarnTDRTf:zl328U2yfkmmarnTDR
                                            TLSH:100523858AE59A77C7999771C0758D942B6078329E887B1E9B08F26FF830343CC5AB4D
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                            File Icon

                                            Icon Hash:aaf3e3e3938382a0

                                            Static PE Info

                                            General

                                            Entrypoint:0x551a40
                                            Entrypoint Section:UPX1
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x674D5D08 [Mon Dec 2 07:08:56 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:1
                                            File Version Major:5
                                            File Version Minor:1
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:1
                                            Import Hash:fc6683d30d9f25244a50fd5357825e79

                                            Entrypoint Preview

                                            Instruction
                                            pushad
                                            mov esi, 004FC000h
                                            lea edi, dword ptr [esi-000FB000h]
                                            push edi
                                            jmp 00007F9A1074961Dh
                                            nop
                                            mov al, byte ptr [esi]
                                            inc esi
                                            mov byte ptr [edi], al
                                            inc edi
                                            add ebx, ebx
                                            jne 00007F9A10749619h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007F9A107495FFh
                                            mov eax, 00000001h
                                            add ebx, ebx
                                            jne 00007F9A10749619h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc eax, eax
                                            add ebx, ebx
                                            jnc 00007F9A1074961Dh
                                            jne 00007F9A1074963Ah
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007F9A10749631h
                                            dec eax
                                            add ebx, ebx
                                            jne 00007F9A10749619h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc eax, eax
                                            jmp 00007F9A107495E6h
                                            add ebx, ebx
                                            jne 00007F9A10749619h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc ecx, ecx
                                            jmp 00007F9A10749664h
                                            xor ecx, ecx
                                            sub eax, 03h
                                            jc 00007F9A10749623h
                                            shl eax, 08h
                                            mov al, byte ptr [esi]
                                            inc esi
                                            xor eax, FFFFFFFFh
                                            je 00007F9A10749687h
                                            sar eax, 1
                                            mov ebp, eax
                                            jmp 00007F9A1074961Dh
                                            add ebx, ebx
                                            jne 00007F9A10749619h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007F9A107495DEh
                                            inc ecx
                                            add ebx, ebx
                                            jne 00007F9A10749619h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007F9A107495D0h
                                            add ebx, ebx
                                            jne 00007F9A10749619h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc ecx, ecx
                                            add ebx, ebx
                                            jnc 00007F9A10749601h
                                            jne 00007F9A1074961Bh
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jnc 00007F9A107495F6h
                                            add ecx, 02h
                                            cmp ebp, FFFFFB00h
                                            adc ecx, 02h
                                            lea edx, dword ptr [edi+ebp]
                                            cmp ebp, FFFFFFFCh
                                            jbe 00007F9A10749620h
                                            mov al, byte ptr [edx]

                                            Rich Headers

                                            Programming Language:
                                            • [ASM] VS2013 build 21005
                                            • [ C ] VS2013 build 21005
                                            • [C++] VS2013 build 21005
                                            • [ C ] VS2008 SP1 build 30729
                                            • [IMP] VS2008 SP1 build 30729
                                            • [ASM] VS2013 UPD4 build 31101
                                            • [RES] VS2013 build 21005
                                            • [LNK] VS2013 UPD4 build 31101

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1cb3840x424.rsrc
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1520000x79384.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1cb7a80xc.rsrc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x151c240x48UPX1
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            UPX00x10000xfb0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            UPX10xfc0000x560000x55e003a7be2385fdea72038c5bdb36da0feeeFalse0.9871668031295487data7.9354551936668525IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x1520000x7a0000x79800384f13fd90460483e3d494622be34274False0.9586367509002057data7.956744353402616IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x1525ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                            RT_ICON0x1526d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                            RT_ICON0x1528040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                            RT_ICON0x1529300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                            RT_ICON0x152c1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                            RT_ICON0x152d480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                            RT_ICON0x153bf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                            RT_ICON0x1544a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                            RT_ICON0x154a0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                            RT_ICON0x156fb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                            RT_ICON0x1580640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                            RT_MENU0xcd4a00x50emptyEnglishGreat Britain0
                                            RT_STRING0xcd4f00x594emptyEnglishGreat Britain0
                                            RT_STRING0xcda840x68aemptyEnglishGreat Britain0
                                            RT_STRING0xce1100x490emptyEnglishGreat Britain0
                                            RT_STRING0xce5a00x5fcemptyEnglishGreat Britain0
                                            RT_STRING0xceb9c0x65cemptyEnglishGreat Britain0
                                            RT_STRING0xcf1f80x466emptyEnglishGreat Britain0
                                            RT_STRING0xcf6600x158emptyEnglishGreat Britain0
                                            RT_RCDATA0x1584d00x7291bdata1.000321772947632
                                            RT_GROUP_ICON0x1cadf00x76dataEnglishGreat Britain0.6610169491525424
                                            RT_GROUP_ICON0x1cae6c0x14dataEnglishGreat Britain1.25
                                            RT_GROUP_ICON0x1cae840x14dataEnglishGreat Britain1.15
                                            RT_GROUP_ICON0x1cae9c0x14dataEnglishGreat Britain1.25
                                            RT_VERSION0x1caeb40xdcdataEnglishGreat Britain0.6181818181818182
                                            RT_MANIFEST0x1caf940x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                            Imports

                                            DLLImport
                                            KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                            ADVAPI32.dllGetAce
                                            COMCTL32.dllImageList_Remove
                                            COMDLG32.dllGetOpenFileNameW
                                            GDI32.dllLineTo
                                            IPHLPAPI.DLLIcmpSendEcho
                                            MPR.dllWNetUseConnectionW
                                            ole32.dllCoGetObject
                                            OLEAUT32.dllVariantInit
                                            PSAPI.DLLGetProcessMemoryInfo
                                            SHELL32.dllDragFinish
                                            USER32.dllGetDC
                                            USERENV.dllLoadUserProfileW
                                            UxTheme.dllIsThemeActive
                                            VERSION.dllVerQueryValueW
                                            WININET.dllFtpOpenFileW
                                            WINMM.dlltimeGetTime
                                            WSOCK32.dllconnect

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishGreat Britain

                                            Network Behavior

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 11, 2025 05:04:33.824309111 CET497048787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:33.829401016 CET878749704192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:33.829499960 CET497048787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:33.829866886 CET497048787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:33.834791899 CET878749704192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:35.229574919 CET878749704192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:35.229695082 CET497048787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:35.229780912 CET497048787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:35.234689951 CET878749704192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:36.231631041 CET497058787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:36.236537933 CET878749705192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:36.236641884 CET497058787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:36.236979961 CET497058787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:36.241820097 CET878749705192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:37.633368015 CET878749705192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:37.633451939 CET497058787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:37.633502960 CET497058787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:37.638390064 CET878749705192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:38.637952089 CET497068787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:38.644109964 CET878749706192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:38.646404028 CET497068787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:38.646907091 CET497068787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:38.652121067 CET878749706192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:40.059403896 CET878749706192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:40.059511900 CET497068787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:40.059619904 CET497068787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:40.064431906 CET878749706192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:41.075212955 CET497078787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:41.080266953 CET878749707192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:41.080358028 CET497078787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:41.080813885 CET497078787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:41.085602999 CET878749707192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:42.496527910 CET878749707192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:42.496629000 CET497078787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:42.496732950 CET497078787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:42.501573086 CET878749707192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:43.519478083 CET497088787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:43.524424076 CET878749708192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:43.524497032 CET497088787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:43.524945974 CET497088787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:43.530138016 CET878749708192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:44.934149981 CET878749708192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:44.934403896 CET497088787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:44.934632063 CET497088787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:44.939369917 CET878749708192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:45.969791889 CET497098787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:45.974808931 CET878749709192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:45.974895954 CET497098787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:45.981800079 CET497098787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:45.986694098 CET878749709192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:47.414104939 CET878749709192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:47.414180040 CET497098787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:47.414233923 CET497098787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:47.419017076 CET878749709192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:48.418905020 CET497118787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:48.423821926 CET878749711192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:48.423918009 CET497118787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:48.424273968 CET497118787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:48.429055929 CET878749711192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:49.821088076 CET878749711192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:49.821245909 CET497118787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:49.821245909 CET497118787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:49.826179981 CET878749711192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:50.825092077 CET497138787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:50.830077887 CET878749713192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:50.830163002 CET497138787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:50.835275888 CET497138787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:50.840157986 CET878749713192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:52.248653889 CET878749713192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:52.248850107 CET497138787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:52.248879910 CET497138787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:52.253777027 CET878749713192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:53.262932062 CET497148787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:53.267883062 CET878749714192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:53.267982006 CET497148787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:53.268367052 CET497148787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:53.273269892 CET878749714192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:54.686079025 CET878749714192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:54.686194897 CET497148787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:54.686266899 CET497148787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:54.692171097 CET878749714192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:55.700077057 CET497158787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:55.705044985 CET878749715192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:55.705121040 CET497158787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:55.705513954 CET497158787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:55.710316896 CET878749715192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:57.126389027 CET878749715192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:57.126472950 CET497158787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:57.126602888 CET497158787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:57.131362915 CET878749715192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:58.138885021 CET497168787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:58.143707037 CET878749716192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:58.145956993 CET497168787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:58.146462917 CET497168787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:58.151372910 CET878749716192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:59.594511986 CET878749716192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:04:59.594569921 CET497168787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:59.594621897 CET497168787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:04:59.599381924 CET878749716192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:00.606539011 CET497178787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:00.613574028 CET878749717192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:00.613704920 CET497178787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:00.614118099 CET497178787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:00.618918896 CET878749717192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:02.008702040 CET878749717192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:02.008815050 CET497178787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:02.011677980 CET497178787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:02.016556025 CET878749717192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:03.028635979 CET497188787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:03.033529043 CET878749718192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:03.033632040 CET497188787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:03.034193039 CET497188787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:03.038992882 CET878749718192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:04.468292952 CET878749718192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:04.468441963 CET497188787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:04.468501091 CET497188787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:04.473396063 CET878749718192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:05.492588043 CET497198787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:05.497478008 CET878749719192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:05.497569084 CET497198787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:05.498290062 CET497198787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:05.503047943 CET878749719192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:06.899389029 CET878749719192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:06.899534941 CET497198787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:06.899591923 CET497198787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:06.904438972 CET878749719192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:07.926386118 CET497208787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:07.931361914 CET878749720192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:07.931472063 CET497208787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:07.943150043 CET497208787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:07.948004007 CET878749720192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:09.341509104 CET878749720192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:09.341696024 CET497208787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:09.341867924 CET497208787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:09.346664906 CET878749720192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:10.356728077 CET497218787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:10.361674070 CET878749721192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:10.361768007 CET497218787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:10.362142086 CET497218787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:10.367017031 CET878749721192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:11.778040886 CET878749721192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:11.778183937 CET497218787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:11.778316021 CET497218787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:11.783164024 CET878749721192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:12.794080019 CET497228787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:12.799058914 CET878749722192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:12.799144983 CET497228787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:12.799585104 CET497228787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:12.804361105 CET878749722192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:14.221683025 CET878749722192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:14.221781969 CET497228787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:14.221991062 CET497228787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:14.226720095 CET878749722192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:15.231754065 CET497238787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:15.236684084 CET878749723192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:15.236799002 CET497238787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:15.237322092 CET497238787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:15.242146969 CET878749723192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:16.654541969 CET878749723192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:16.654750109 CET497238787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:16.654870987 CET497238787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:16.659698963 CET878749723192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:17.669167995 CET497248787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:17.674076080 CET878749724192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:17.674201965 CET497248787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:17.674647093 CET497248787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:17.679610968 CET878749724192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:19.087193012 CET878749724192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:19.087337971 CET497248787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:19.087413073 CET497248787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:19.092215061 CET878749724192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:20.090818882 CET497258787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:20.095854044 CET878749725192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:20.095947981 CET497258787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:20.096378088 CET497258787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:20.101260900 CET878749725192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:21.516824007 CET878749725192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:21.516918898 CET497258787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:21.516964912 CET497258787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:21.521845102 CET878749725192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:22.548259974 CET497268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:22.553144932 CET878749726192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:22.553622007 CET497268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:22.554071903 CET497268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:22.558887959 CET878749726192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:23.984859943 CET878749726192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:23.985044956 CET497268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:23.985044956 CET497268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:23.989888906 CET878749726192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:24.997260094 CET497278787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:25.002085924 CET878749727192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:25.002177000 CET497278787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:25.002607107 CET497278787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:25.007478952 CET878749727192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:26.424148083 CET878749727192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:26.424240112 CET497278787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:26.424277067 CET497278787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:26.429088116 CET878749727192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:27.438266039 CET497298787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:27.443131924 CET878749729192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:27.443339109 CET497298787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:27.443758011 CET497298787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:27.448540926 CET878749729192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:28.858926058 CET878749729192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:28.858983994 CET497298787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:28.859321117 CET497298787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:28.864115953 CET878749729192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:29.872181892 CET497308787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:29.876972914 CET878749730192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:29.877054930 CET497308787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:29.877424955 CET497308787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:29.882232904 CET878749730192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:31.309823036 CET878749730192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:31.309920073 CET497308787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:31.313325882 CET497308787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:31.318322897 CET878749730192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:32.340888977 CET497318787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:32.345993042 CET878749731192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:32.346267939 CET497318787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:32.346577883 CET497318787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:32.351372957 CET878749731192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:33.763540030 CET878749731192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:33.763616085 CET497318787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:33.763670921 CET497318787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:33.768501997 CET878749731192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:34.811285973 CET497328787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:34.816103935 CET878749732192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:34.816175938 CET497328787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:34.816555023 CET497328787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:34.821352959 CET878749732192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:36.232639074 CET878749732192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:36.232702971 CET497328787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:36.232764006 CET497328787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:36.238991976 CET878749732192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:37.247056961 CET497338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:37.252027988 CET878749733192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:37.252352953 CET497338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:37.252741098 CET497338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:37.257575989 CET878749733192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:38.652709007 CET878749733192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:38.652774096 CET497338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:38.653088093 CET497338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:38.657877922 CET878749733192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:39.669018030 CET497348787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:39.674839973 CET878749734192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:39.674942017 CET497348787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:39.675268888 CET497348787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:39.680017948 CET878749734192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:41.089795113 CET878749734192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:41.089860916 CET497348787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:41.089878082 CET497348787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:41.094731092 CET878749734192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:42.091264009 CET497358787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:42.096059084 CET878749735192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:42.098323107 CET497358787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:42.102288961 CET497358787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:42.107018948 CET878749735192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:43.534812927 CET878749735192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:43.534877062 CET497358787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:43.534945011 CET497358787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:43.539777994 CET878749735192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:44.543956995 CET497368787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:44.548841953 CET878749736192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:44.548917055 CET497368787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:44.549269915 CET497368787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:44.554065943 CET878749736192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:45.965598106 CET878749736192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:45.965671062 CET497368787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:45.965725899 CET497368787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:45.970489979 CET878749736192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:46.981372118 CET497378787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:46.986572027 CET878749737192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:46.986680031 CET497378787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:46.987004995 CET497378787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:46.991873026 CET878749737192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:48.404064894 CET878749737192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:48.404155970 CET497378787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:48.404218912 CET497378787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:48.409044981 CET878749737192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:49.420098066 CET497448787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:49.424969912 CET878749744192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:49.425048113 CET497448787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:49.425419092 CET497448787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:49.430254936 CET878749744192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:50.843266964 CET878749744192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:50.843337059 CET497448787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:50.843368053 CET497448787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:50.848203897 CET878749744192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:51.856309891 CET497638787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:51.861257076 CET878749763192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:51.861340046 CET497638787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:51.861656904 CET497638787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:51.866503954 CET878749763192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:53.261324883 CET878749763192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:53.261387110 CET497638787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:53.261387110 CET497638787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:53.266272068 CET878749763192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:54.231513023 CET497808787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:54.236453056 CET878749780192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:54.236565113 CET497808787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:54.236881018 CET497808787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:54.241699934 CET878749780192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:55.654728889 CET878749780192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:55.654803991 CET497808787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:55.655020952 CET497808787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:55.659790039 CET878749780192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:56.590811014 CET497948787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:56.595686913 CET878749794192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:56.595751047 CET497948787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:56.596060038 CET497948787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:56.600867033 CET878749794192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:57.995992899 CET878749794192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:57.996072054 CET497948787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:57.996112108 CET497948787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:58.000968933 CET878749794192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:58.904403925 CET498118787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:58.909251928 CET878749811192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:05:58.909342051 CET498118787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:58.909778118 CET498118787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:05:58.914623022 CET878749811192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:00.343693972 CET878749811192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:00.343755007 CET498118787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:00.343827009 CET498118787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:00.349458933 CET878749811192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:01.231395960 CET498268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:01.236406088 CET878749826192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:01.236504078 CET498268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:01.236793995 CET498268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:01.241545916 CET878749826192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:02.644309044 CET878749826192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:02.644366026 CET498268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:02.644418001 CET498268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:02.649255037 CET878749826192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:03.497656107 CET498428787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:03.502418041 CET878749842192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:03.502892017 CET498428787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:03.503149033 CET498428787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:03.507889986 CET878749842192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:04.920233011 CET878749842192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:04.920308113 CET498428787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:04.920330048 CET498428787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:04.925409079 CET878749842192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:05.747119904 CET498588787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:05.752080917 CET878749858192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:05.752187014 CET498588787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:05.752615929 CET498588787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:05.757404089 CET878749858192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:07.337285995 CET878749858192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:07.337446928 CET498588787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:07.337579966 CET498588787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:07.343200922 CET878749858192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:08.137753010 CET498738787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:08.142559052 CET878749873192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:08.142684937 CET498738787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:08.142992020 CET498738787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:08.147770882 CET878749873192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:09.560906887 CET878749873192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:09.560971975 CET498738787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:09.561204910 CET498738787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:09.565967083 CET878749873192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:10.325239897 CET498868787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:10.330068111 CET878749886192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:10.330293894 CET498868787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:10.330626965 CET498868787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:10.335453987 CET878749886192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:11.733093023 CET878749886192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:11.733164072 CET498868787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:11.733192921 CET498868787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:11.737976074 CET878749886192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:12.481745005 CET499028787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:12.486597061 CET878749902192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:12.486690998 CET499028787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:12.487073898 CET499028787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:12.491904974 CET878749902192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:13.923675060 CET878749902192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:13.923881054 CET499028787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:13.923881054 CET499028787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:13.928759098 CET878749902192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:14.637917995 CET499178787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:14.642863989 CET878749917192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:14.642957926 CET499178787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:14.643327951 CET499178787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:14.648086071 CET878749917192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:16.064116001 CET878749917192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:16.064172983 CET499178787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:16.064212084 CET499178787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:16.068933964 CET878749917192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:16.762794018 CET499338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:16.767616034 CET878749933192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:16.770266056 CET499338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:16.770519018 CET499338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:16.775247097 CET878749933192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:18.185599089 CET878749933192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:18.185688019 CET499338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:18.185776949 CET499338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:18.190589905 CET878749933192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:18.856300116 CET499498787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:18.861077070 CET878749949192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:18.861165047 CET499498787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:18.861439943 CET499498787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:18.866192102 CET878749949192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:20.286514997 CET878749949192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:20.289369106 CET499498787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:20.289369106 CET499498787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:20.294346094 CET878749949192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:20.939306974 CET499608787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:20.944266081 CET878749960192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:20.944363117 CET499608787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:20.944698095 CET499608787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:20.949501038 CET878749960192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:22.339008093 CET878749960192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:22.339102983 CET499608787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:22.339147091 CET499608787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:22.344005108 CET878749960192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:22.965646982 CET499768787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:22.970655918 CET878749976192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:22.970741034 CET499768787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:22.970997095 CET499768787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:22.975883961 CET878749976192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:24.372364044 CET878749976192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:24.374267101 CET499768787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:24.379520893 CET499768787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:24.384356976 CET878749976192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:24.981983900 CET499878787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:24.986839056 CET878749987192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:24.986913919 CET499878787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:24.987571001 CET499878787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:24.992328882 CET878749987192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:26.421068907 CET878749987192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:26.422523022 CET499878787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:26.422549009 CET499878787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:26.427398920 CET878749987192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:27.012789965 CET500038787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:27.017724037 CET878750003192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:27.017806053 CET500038787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:27.018239975 CET500038787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:27.023102999 CET878750003192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:28.420321941 CET878750003192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:28.420418024 CET500038787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:28.420444965 CET500038787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:28.425306082 CET878750003192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:28.998150110 CET500168787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:29.003249884 CET878750016192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:29.004774094 CET500168787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:29.005057096 CET500168787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:29.009887934 CET878750016192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:30.421113968 CET878750016192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:30.421211958 CET500168787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:30.424727917 CET500168787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:30.429538965 CET878750016192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:30.996912956 CET500248787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:31.001848936 CET878750024192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:31.001929998 CET500248787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:31.002302885 CET500248787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:31.007169962 CET878750024192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:32.419394970 CET878750024192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:32.419512987 CET500248787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:32.419553995 CET500248787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:32.424390078 CET878750024192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:32.950160980 CET500268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:32.955118895 CET878750026192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:32.955239058 CET500268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:32.955478907 CET500268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:32.960263968 CET878750026192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:34.357820988 CET878750026192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:34.357886076 CET500268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:34.357966900 CET500268787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:34.362787008 CET878750026192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:34.875001907 CET500278787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:34.880209923 CET878750027192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:34.880337000 CET500278787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:34.880736113 CET500278787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:34.885590076 CET878750027192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:36.314363956 CET878750027192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:36.314486980 CET500278787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:36.322011948 CET500278787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:36.326874018 CET878750027192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:36.838704109 CET500288787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:36.843789101 CET878750028192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:36.843884945 CET500288787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:36.844151020 CET500288787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:36.849915028 CET878750028192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:38.288903952 CET878750028192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:38.288964987 CET500288787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:38.289001942 CET500288787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:38.293896914 CET878750028192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:38.779470921 CET500298787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:38.784456015 CET878750029192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:38.784562111 CET500298787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:38.784842014 CET500298787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:38.789668083 CET878750029192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:40.186683893 CET878750029192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:40.186747074 CET500298787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:40.186785936 CET500298787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:40.191621065 CET878750029192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:40.653490067 CET500308787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:40.658565044 CET878750030192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:40.660249949 CET500308787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:40.660541058 CET500308787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:40.665410995 CET878750030192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:42.087682962 CET878750030192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:42.087744951 CET500308787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:42.087866068 CET500308787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:42.092786074 CET878750030192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:42.812346935 CET500318787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:42.817300081 CET878750031192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:42.817378044 CET500318787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:42.817677021 CET500318787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:42.822571993 CET878750031192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:44.213531971 CET878750031192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:44.214278936 CET500318787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:44.214318991 CET500318787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:44.219266891 CET878750031192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:44.653852940 CET500328787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:44.658807993 CET878750032192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:44.658900023 CET500328787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:44.659216881 CET500328787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:44.664125919 CET878750032192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:46.057952881 CET878750032192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:46.060668945 CET500328787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:46.060668945 CET500328787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:46.065608025 CET878750032192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:46.481292963 CET500338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:46.486246109 CET878750033192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:46.486316919 CET500338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:46.486761093 CET500338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:46.491641998 CET878750033192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:47.886482000 CET878750033192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:47.890290022 CET500338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:47.890551090 CET500338787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:47.895416975 CET878750033192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:48.293740988 CET500348787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:48.298697948 CET878750034192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:48.302345991 CET500348787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:48.302613020 CET500348787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:48.307446003 CET878750034192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:49.717797041 CET878750034192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:49.717891932 CET500348787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:49.717922926 CET500348787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:49.722839117 CET878750034192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:50.106426954 CET500358787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:50.111299038 CET878750035192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:50.111387014 CET500358787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:50.111797094 CET500358787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:50.116576910 CET878750035192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:51.530874968 CET878750035192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:51.530939102 CET500358787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:51.530982018 CET500358787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:51.535768032 CET878750035192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:51.919225931 CET500368787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:51.924180984 CET878750036192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:51.924355030 CET500368787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:51.924714088 CET500368787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:51.929630995 CET878750036192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:53.322896004 CET878750036192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:53.324361086 CET500368787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:53.324433088 CET500368787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:53.329448938 CET878750036192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:53.700021982 CET500378787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:53.705007076 CET878750037192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:53.705092907 CET500378787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:53.705358028 CET500378787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:53.710315943 CET878750037192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:55.125595093 CET878750037192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:55.125674009 CET500378787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:55.125710964 CET500378787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:55.130538940 CET878750037192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:55.482023954 CET500388787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:55.486886978 CET878750038192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:55.486975908 CET500388787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:55.487267017 CET500388787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:55.492054939 CET878750038192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:56.942117929 CET878750038192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:56.942197084 CET500388787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:56.942248106 CET500388787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:56.947110891 CET878750038192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:57.293807030 CET500398787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:57.298698902 CET878750039192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:57.298790932 CET500398787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:57.299113989 CET500398787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:57.303988934 CET878750039192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:58.717421055 CET878750039192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:58.717495918 CET500398787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:58.717525959 CET500398787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:58.722393036 CET878750039192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:59.059499025 CET500408787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:59.064327002 CET878750040192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:06:59.064405918 CET500408787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:59.064637899 CET500408787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:06:59.069494009 CET878750040192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:00.502646923 CET878750040192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:00.502727032 CET500408787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:00.504465103 CET500408787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:00.509260893 CET878750040192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:00.827130079 CET500418787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:00.832192898 CET878750041192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:00.832290888 CET500418787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:00.834175110 CET500418787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:00.839003086 CET878750041192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:02.252866030 CET878750041192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:02.252928019 CET500418787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:02.253002882 CET500418787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:02.257827997 CET878750041192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:02.594650984 CET500428787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:02.599499941 CET878750042192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:02.602250099 CET500428787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:02.607899904 CET500428787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:02.612689972 CET878750042192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:04.075750113 CET878750042192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:04.075804949 CET500428787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:04.075841904 CET500428787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:04.080588102 CET878750042192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:04.372066975 CET500438787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:04.376962900 CET878750043192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:04.377032042 CET500438787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:04.377532959 CET500438787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:04.382419109 CET878750043192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:05.796586990 CET878750043192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:05.796660900 CET500438787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:05.796700001 CET500438787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:05.801506042 CET878750043192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:06.090507984 CET500448787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:06.095509052 CET878750044192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:06.095613003 CET500448787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:06.095881939 CET500448787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:06.100817919 CET878750044192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:07.538126945 CET878750044192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:07.538235903 CET500448787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:07.538330078 CET500448787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:07.543277979 CET878750044192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:07.825059891 CET500458787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:07.830040932 CET878750045192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:07.830117941 CET500458787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:07.830713034 CET500458787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:07.835547924 CET878750045192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:09.229871988 CET878750045192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:09.230187893 CET500458787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:09.230237961 CET500458787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:09.235017061 CET878750045192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:09.512285948 CET500468787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:09.517143965 CET878750046192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:09.517329931 CET500468787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:09.517586946 CET500468787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:09.522365093 CET878750046192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:10.938365936 CET878750046192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:10.938507080 CET500468787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:10.938507080 CET500468787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:10.943418980 CET878750046192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:11.200001955 CET500478787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:11.204902887 CET878750047192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:11.205255032 CET500478787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:11.205255032 CET500478787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:11.210047007 CET878750047192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:12.624916077 CET878750047192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:12.630264997 CET500478787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:12.633869886 CET500478787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:12.638823032 CET878750047192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:12.895421028 CET500488787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:12.900542021 CET878750048192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:12.902235031 CET500488787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:12.913271904 CET500488787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:12.928781986 CET878750048192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:14.346925974 CET878750048192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:14.348407984 CET500488787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:14.348407984 CET500488787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:14.353290081 CET878750048192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:14.591334105 CET500498787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:14.596561909 CET878750049192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:14.597615957 CET500498787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:14.597615957 CET500498787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:14.602483034 CET878750049192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:16.030265093 CET878750049192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:16.030322075 CET500498787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:16.033068895 CET500498787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:16.037905931 CET878750049192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:16.278203964 CET500508787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:16.283252954 CET878750050192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:16.283344030 CET500508787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:16.283628941 CET500508787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:16.288446903 CET878750050192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:17.686736107 CET878750050192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:17.689245939 CET500508787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:17.689279079 CET500508787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:17.694097042 CET878750050192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:17.918612957 CET500518787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:17.923649073 CET878750051192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:17.923717976 CET500518787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:17.924124956 CET500518787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:17.928894043 CET878750051192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:19.338946104 CET878750051192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:19.339029074 CET500518787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:19.339090109 CET500518787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:19.343839884 CET878750051192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:19.559463024 CET500528787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:19.564440966 CET878750052192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:19.564521074 CET500528787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:19.564975023 CET500528787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:19.569838047 CET878750052192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:20.984186888 CET878750052192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:20.986202955 CET500528787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:20.986241102 CET500528787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:20.991064072 CET878750052192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:21.199887991 CET500538787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:21.204955101 CET878750053192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:21.206207991 CET500538787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:21.206423044 CET500538787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:21.211239100 CET878750053192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:22.625765085 CET878750053192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:22.625850916 CET500538787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:22.625929117 CET500538787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:22.630723953 CET878750053192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:22.840430021 CET500548787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:22.845419884 CET878750054192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:22.845509052 CET500548787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:22.845752954 CET500548787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:22.850564003 CET878750054192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:24.265539885 CET878750054192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:24.265600920 CET500548787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:24.265641928 CET500548787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:24.270426989 CET878750054192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:24.469296932 CET500558787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:24.474344015 CET878750055192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:24.474467993 CET500558787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:24.477252960 CET500558787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:24.482043982 CET878750055192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:25.871440887 CET878750055192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:25.874195099 CET500558787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:25.874245882 CET500558787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:25.879040003 CET878750055192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:26.074965954 CET500568787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:26.080241919 CET878750056192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:26.082215071 CET500568787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:26.082474947 CET500568787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:26.087274075 CET878750056192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:27.481400013 CET878750056192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:27.481599092 CET500568787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:27.481647968 CET500568787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:27.486550093 CET878750056192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:27.672517061 CET500578787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:27.677620888 CET878750057192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:27.680324078 CET500578787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:27.690866947 CET500578787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:27.695738077 CET878750057192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:29.091546059 CET878750057192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:29.093275070 CET500578787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:29.093308926 CET500578787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:29.098119020 CET878750057192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:29.278132915 CET500588787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:29.283227921 CET878750058192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:29.285324097 CET500588787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:29.285461903 CET500588787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:29.290199995 CET878750058192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:30.754997015 CET878750058192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:30.756817102 CET500588787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:30.756891012 CET500588787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:30.762330055 CET878750058192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:30.965377092 CET500598787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:30.970330954 CET878750059192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:30.970410109 CET500598787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:30.970629930 CET500598787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:30.975459099 CET878750059192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:32.375343084 CET878750059192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:32.377115965 CET500598787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:32.377146959 CET500598787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:32.382002115 CET878750059192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:32.559222937 CET500608787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:32.564198971 CET878750060192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:32.564270973 CET500608787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:32.564547062 CET500608787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:32.569380999 CET878750060192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:33.986007929 CET878750060192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:33.986090899 CET500608787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:33.986143112 CET500608787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:33.990983009 CET878750060192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:34.152861118 CET500618787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:34.157879114 CET878750061192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:34.157970905 CET500618787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:34.158191919 CET500618787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:34.163012028 CET878750061192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:35.595891953 CET878750061192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:35.595962048 CET500618787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:35.596002102 CET500618787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:35.601039886 CET878750061192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:35.765551090 CET500628787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:35.770546913 CET878750062192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:35.770628929 CET500628787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:35.770900011 CET500628787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:35.775670052 CET878750062192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:37.184995890 CET878750062192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:37.185247898 CET500628787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:37.185249090 CET500628787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:37.190192938 CET878750062192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:37.340430021 CET500638787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:37.345676899 CET878750063192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:37.349277020 CET500638787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:37.349529982 CET500638787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:37.354439020 CET878750063192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:38.745701075 CET878750063192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:38.746458054 CET500638787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:38.746458054 CET500638787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:38.751308918 CET878750063192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:38.932216883 CET500648787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:38.937278032 CET878750064192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:38.937395096 CET500648787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:38.937735081 CET500648787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:38.942507982 CET878750064192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:40.345860004 CET878750064192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:40.345926046 CET500648787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:40.345963955 CET500648787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:40.350802898 CET878750064192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:40.496797085 CET500658787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:40.501847029 CET878750065192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:40.501934052 CET500658787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:40.502218962 CET500658787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:40.507086039 CET878750065192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:41.906073093 CET878750065192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:41.908345938 CET500658787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:41.908413887 CET500658787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:41.913249016 CET878750065192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:42.066432953 CET500668787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:42.071413994 CET878750066192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:42.073870897 CET500668787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:42.077548027 CET500668787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:42.082385063 CET878750066192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:43.482853889 CET878750066192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:43.486001968 CET500668787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:43.486047029 CET500668787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:43.490940094 CET878750066192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:43.621850967 CET500678787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:43.626926899 CET878750067192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:43.628597021 CET500678787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:43.628871918 CET500678787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:43.633707047 CET878750067192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:45.028831959 CET878750067192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:45.028907061 CET500678787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:45.028975010 CET500678787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:45.033832073 CET878750067192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:45.168756008 CET500688787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:45.173747063 CET878750068192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:45.173827887 CET500688787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:45.174118996 CET500688787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:45.178937912 CET878750068192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:46.593543053 CET878750068192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:46.594274998 CET500688787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:46.594275951 CET500688787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:46.599128962 CET878750068192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:46.731013060 CET500698787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:46.736119986 CET878750069192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:46.736306906 CET500698787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:46.736639977 CET500698787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:46.741442919 CET878750069192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:48.140642881 CET878750069192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:48.142345905 CET500698787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:48.142345905 CET500698787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:48.147159100 CET878750069192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:48.262336016 CET500708787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:48.267234087 CET878750070192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:48.270212889 CET500708787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:48.270493984 CET500708787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:48.275265932 CET878750070192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:49.689438105 CET878750070192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:49.689510107 CET500708787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:49.689554930 CET500708787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:49.694369078 CET878750070192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:49.809200048 CET500718787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:49.814145088 CET878750071192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:49.814227104 CET500718787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:49.814486027 CET500718787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:49.819231987 CET878750071192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:51.220041990 CET878750071192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:51.222181082 CET500718787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:51.222255945 CET500718787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:51.227181911 CET878750071192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:51.340538979 CET500728787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:51.345750093 CET878750072192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:51.346178055 CET500728787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:51.346450090 CET500728787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:51.351346016 CET878750072192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:52.747622967 CET878750072192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:52.747737885 CET500728787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:52.747739077 CET500728787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:52.752584934 CET878750072192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:52.856059074 CET500738787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:52.861032963 CET878750073192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:52.861125946 CET500738787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:52.861411095 CET500738787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:52.866198063 CET878750073192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:54.285281897 CET878750073192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:54.286179066 CET500738787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:54.286231041 CET500738787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:54.291152000 CET878750073192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:54.403187990 CET500748787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:54.408205032 CET878750074192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:54.410218954 CET500748787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:54.411534071 CET500748787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:54.416320086 CET878750074192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:55.831753969 CET878750074192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:55.831842899 CET500748787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:55.831878901 CET500748787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:55.836714983 CET878750074192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:55.934390068 CET500758787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:55.939498901 CET878750075192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:55.939606905 CET500758787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:55.939866066 CET500758787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:55.944732904 CET878750075192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:57.371049881 CET878750075192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:57.371193886 CET500758787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:57.371248960 CET500758787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:57.376068115 CET878750075192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:57.481049061 CET500768787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:57.485970974 CET878750076192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:57.486052990 CET500768787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:57.486351967 CET500768787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:57.491177082 CET878750076192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:58.886903048 CET878750076192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:58.886965990 CET500768787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:58.887029886 CET500768787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:58.891737938 CET878750076192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:58.981199980 CET500778787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:58.986433983 CET878750077192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:07:58.986541986 CET500778787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:58.986824989 CET500778787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:07:58.996393919 CET878750077192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:00.424427032 CET878750077192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:00.424527884 CET500778787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:00.425224066 CET500778787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:00.430108070 CET878750077192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:00.528072119 CET500788787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:00.533344030 CET878750078192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:00.533456087 CET500788787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:00.533710957 CET500788787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:00.538533926 CET878750078192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:01.954350948 CET878750078192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:01.954413891 CET500788787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:01.954515934 CET500788787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:01.959327936 CET878750078192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:02.043590069 CET500798787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:02.048787117 CET878750079192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:02.048926115 CET500798787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:02.049191952 CET500798787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:02.054167032 CET878750079192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:03.486800909 CET878750079192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:03.486884117 CET500798787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:03.486953974 CET500798787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:03.491792917 CET878750079192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:03.574755907 CET500808787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:03.579936981 CET878750080192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:03.580024004 CET500808787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:03.580329895 CET500808787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:03.585154057 CET878750080192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:05.005026102 CET878750080192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:05.005147934 CET500808787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:05.005198002 CET500808787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:05.010045052 CET878750080192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:05.090568066 CET500818787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:05.095531940 CET878750081192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:05.095652103 CET500818787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:05.095956087 CET500818787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:05.100760937 CET878750081192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:06.496243954 CET878750081192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:06.498205900 CET500818787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:06.500905037 CET500818787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:06.505712032 CET878750081192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:06.590473890 CET500828787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:06.595479965 CET878750082192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:06.598172903 CET500828787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:06.598411083 CET500828787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:06.603205919 CET878750082192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:08.016251087 CET878750082192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:08.016341925 CET500828787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:08.016393900 CET500828787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:08.021342993 CET878750082192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:08.106112957 CET500838787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:08.304299116 CET878750083192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:08.306231022 CET500838787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:08.306482077 CET500838787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:08.311265945 CET878750083192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:09.739428043 CET878750083192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:09.739500046 CET500838787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:09.739578962 CET500838787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:09.747765064 CET878750083192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:09.824783087 CET500848787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:09.829730988 CET878750084192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:09.830192089 CET500848787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:09.830435038 CET500848787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:09.837290049 CET878750084192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:11.254328966 CET878750084192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:11.254401922 CET500848787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:11.254503012 CET500848787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:11.259227037 CET878750084192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:11.340449095 CET500858787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:11.345438957 CET878750085192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:11.345544100 CET500858787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:11.345809937 CET500858787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:11.350599051 CET878750085192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:12.779115915 CET878750085192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:12.779191971 CET500858787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:12.779259920 CET500858787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:12.784048080 CET878750085192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:12.856483936 CET500868787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:12.862306118 CET878750086192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:12.862548113 CET500868787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:12.866604090 CET500868787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:12.872416019 CET878750086192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:14.285315037 CET878750086192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:14.285793066 CET500868787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:14.285868883 CET500868787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:14.290620089 CET878750086192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:14.356115103 CET500878787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:14.361893892 CET878750087192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:14.361969948 CET500878787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:14.362251043 CET500878787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:14.368035078 CET878750087192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:15.762721062 CET878750087192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:15.762794971 CET500878787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:15.762829065 CET500878787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:15.767689943 CET878750087192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:15.840451002 CET500888787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:15.845410109 CET878750088192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:15.846158028 CET500888787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:15.846369982 CET500888787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:15.851182938 CET878750088192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:17.266697884 CET878750088192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:17.267453909 CET500888787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:17.267494917 CET500888787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:17.272401094 CET878750088192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:17.340486050 CET500898787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:17.345717907 CET878750089192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:17.345962048 CET500898787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:17.346081972 CET500898787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:17.350972891 CET878750089192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:18.766278028 CET878750089192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:18.768158913 CET500898787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:18.768158913 CET500898787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:18.773125887 CET878750089192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:18.840600967 CET500908787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:18.845582962 CET878750090192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:18.845685959 CET500908787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:18.845968008 CET500908787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:18.850866079 CET878750090192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:20.287731886 CET878750090192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:20.289078951 CET500908787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:20.289113998 CET500908787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:20.294204950 CET878750090192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:20.356161118 CET500918787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:20.361145020 CET878750091192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:20.364998102 CET500918787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:20.365268946 CET500918787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:20.370245934 CET878750091192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:21.766448021 CET878750091192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:21.766566992 CET500918787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:21.766567945 CET500918787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:21.771420956 CET878750091192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:21.824879885 CET500928787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:21.829790115 CET878750092192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:21.834161043 CET500928787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:21.834434986 CET500928787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:21.839225054 CET878750092192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:23.231867075 CET878750092192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:23.233196974 CET500928787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:23.233231068 CET500928787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:23.238095999 CET878750092192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:23.293735981 CET500938787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:23.298571110 CET878750093192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:23.300599098 CET500938787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:23.302354097 CET500938787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:23.307169914 CET878750093192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:24.740617990 CET878750093192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:24.740756035 CET500938787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:24.740992069 CET500938787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:24.746723890 CET878750093192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:24.793669939 CET500948787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:24.798682928 CET878750094192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:24.800378084 CET500948787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:24.800674915 CET500948787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:24.805566072 CET878750094192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:26.220813036 CET878750094192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:26.221124887 CET500948787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:26.221124887 CET500948787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:26.226202965 CET878750094192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:26.278301001 CET500958787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:26.283166885 CET878750095192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:26.286138058 CET500958787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:26.286397934 CET500958787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:26.291203976 CET878750095192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:27.683783054 CET878750095192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:27.686177969 CET500958787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:27.688647032 CET500958787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:27.693463087 CET878750095192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:27.746658087 CET500968787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:27.751580000 CET878750096192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:27.751653910 CET500968787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:27.751938105 CET500968787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:27.756685019 CET878750096192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:29.176029921 CET878750096192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:29.176101923 CET500968787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:29.176407099 CET500968787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:29.181159973 CET878750096192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:29.231236935 CET500978787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:29.236895084 CET878750097192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:29.236974955 CET500978787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:29.237327099 CET500978787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:29.242084026 CET878750097192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:30.637145996 CET878750097192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:30.637322903 CET500978787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:30.637372971 CET500978787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:30.642996073 CET878750097192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:30.684271097 CET500988787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:30.690160990 CET878750098192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:30.690946102 CET500988787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:30.691240072 CET500988787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:30.696012974 CET878750098192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:32.107502937 CET878750098192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:32.110239029 CET500988787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:32.110239029 CET500988787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:32.115098000 CET878750098192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:32.168829918 CET500998787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:32.173877954 CET878750099192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:32.174125910 CET500998787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:32.174398899 CET500998787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:32.179203987 CET878750099192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:33.576930046 CET878750099192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:33.577003002 CET500998787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:33.577023983 CET500998787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:33.581839085 CET878750099192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:33.621670961 CET501008787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:33.626528978 CET878750100192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:33.626614094 CET501008787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:33.626903057 CET501008787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:33.631695032 CET878750100192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:35.052515030 CET878750100192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:35.052623034 CET501008787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:35.052644014 CET501008787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:35.057425976 CET878750100192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:35.105984926 CET501018787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:35.111541033 CET878750101192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:35.111656904 CET501018787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:35.112010956 CET501018787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:35.117680073 CET878750101192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:36.553423882 CET878750101192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:36.553565025 CET501018787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:36.720949888 CET501018787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:36.725972891 CET878750101192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:36.844852924 CET501028787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:36.849760056 CET878750102192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:36.849852085 CET501028787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:36.852752924 CET501028787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:36.857580900 CET878750102192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:38.266715050 CET878750102192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:38.270117998 CET501028787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:38.270159006 CET501028787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:38.275206089 CET878750102192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:38.324687958 CET501038787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:38.329744101 CET878750103192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:38.329855919 CET501038787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:38.330183983 CET501038787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:38.335133076 CET878750103192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:39.746903896 CET878750103192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:39.746980906 CET501038787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:39.747061014 CET501038787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:39.751838923 CET878750103192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:40.762346029 CET501048787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:40.767230988 CET878750104192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:40.770152092 CET501048787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:40.770387888 CET501048787192.168.2.8192.210.150.26
                                            Jan 11, 2025 05:08:40.775192976 CET878750104192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:42.170464993 CET878750104192.210.150.26192.168.2.8
                                            Jan 11, 2025 05:08:42.170581102 CET501048787192.168.2.8192.210.150.26

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:23:04:31
                                            Start date:10/01/2025
                                            Path:C:\Users\user\Desktop\C2R7VV2QmG.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\C2R7VV2QmG.exe"
                                            Imagebase:0x4f0000
                                            File size:850'432 bytes
                                            MD5 hash:AC26BAF5B7B03AA4046B2C2413A4C2C2
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:23:04:32
                                            Start date:10/01/2025
                                            Path:C:\Users\user\AppData\Local\differences\lecheries.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\C2R7VV2QmG.exe"
                                            Imagebase:0x7c0000
                                            File size:850'432 bytes
                                            MD5 hash:AC26BAF5B7B03AA4046B2C2413A4C2C2
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3909263526.0000000001430000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3909143044.0000000001336000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3909719441.0000000003FDE000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.3908547263.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3909055297.000000000128C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.3909501179.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3909175397.000000000137D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 76%, ReversingLabs
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:3
                                            Start time:23:04:43
                                            Start date:10/01/2025
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lecheries.vbs"
                                            Imagebase:0x7ff6f69a0000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:23:04:45
                                            Start date:10/01/2025
                                            Path:C:\Users\user\AppData\Local\differences\lecheries.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\differences\lecheries.exe"
                                            Imagebase:0x7c0000
                                            File size:850'432 bytes
                                            MD5 hash:AC26BAF5B7B03AA4046B2C2413A4C2C2
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1590336253.0000000001A3E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.1590530789.0000000004160000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.1589510446.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            Reputation:low
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:3.4%
                                              Dynamic/Decrypted Code Coverage:0.4%
                                              Signature Coverage:9.8%
                                              Total number of Nodes:2000
                                              Total number of Limit Nodes:184
                                              execution_graph 100912 641a40 100913 641a50 100912->100913 100914 641b6a LoadLibraryA 100913->100914 100917 641baf VirtualProtect VirtualProtect 100913->100917 100915 641b81 100914->100915 100915->100913 100919 641b93 GetProcAddress 100915->100919 100918 641c14 100917->100918 100918->100918 100919->100915 100920 641ba9 ExitProcess 100919->100920 100921 17c47f8 100935 17c2408 100921->100935 100923 17c48bc 100938 17c46e8 100923->100938 100941 17c5908 GetPEB 100935->100941 100937 17c2a93 100937->100923 100939 17c46f1 Sleep 100938->100939 100940 17c46ff 100939->100940 100942 17c5932 100941->100942 100942->100937 100943 517c56 100944 517c62 __ioinit 100943->100944 100980 519e08 GetStartupInfoW 100944->100980 100946 517c67 100982 518b7c GetProcessHeap 100946->100982 100948 517cbf 100949 517cca 100948->100949 101065 517da6 58 API calls 3 library calls 100948->101065 100983 519ae6 100949->100983 100952 517cd0 100953 517cdb __RTC_Initialize 100952->100953 101066 517da6 58 API calls 3 library calls 100952->101066 101004 51d5d2 100953->101004 100956 517cea 100957 517cf6 GetCommandLineW 100956->100957 101067 517da6 58 API calls 3 library calls 100956->101067 101023 524f23 GetEnvironmentStringsW 100957->101023 100960 517cf5 100960->100957 100963 517d10 100964 517d1b 100963->100964 101068 5130b5 58 API calls 3 library calls 100963->101068 101033 524d58 100964->101033 100967 517d21 100968 517d2c 100967->100968 101069 5130b5 58 API calls 3 library calls 100967->101069 101047 5130ef 100968->101047 100971 517d34 100972 517d3f __wwincmdln 100971->100972 101070 5130b5 58 API calls 3 library calls 100971->101070 101053 4f47d0 100972->101053 100975 517d53 100976 517d62 100975->100976 101071 513358 58 API calls _doexit 100975->101071 101072 5130e0 58 API calls _doexit 100976->101072 100979 517d67 __ioinit 100981 519e1e 100980->100981 100981->100946 100982->100948 101073 513187 36 API calls 2 library calls 100983->101073 100985 519aeb 101074 519d3c InitializeCriticalSectionAndSpinCount __ioinit 100985->101074 100987 519af0 100988 519af4 100987->100988 101076 519d8a TlsAlloc 100987->101076 101075 519b5c 61 API calls 2 library calls 100988->101075 100991 519af9 100991->100952 100992 519b06 100992->100988 100993 519b11 100992->100993 101077 5187d5 100993->101077 100996 519b53 101085 519b5c 61 API calls 2 library calls 100996->101085 100999 519b58 100999->100952 101000 519b32 101000->100996 101001 519b38 101000->101001 101084 519a33 58 API calls 4 library calls 101001->101084 101003 519b40 GetCurrentThreadId 101003->100952 101005 51d5de __ioinit 101004->101005 101097 519c0b 101005->101097 101007 51d5e5 101008 5187d5 __calloc_crt 58 API calls 101007->101008 101010 51d5f6 101008->101010 101009 51d661 GetStartupInfoW 101017 51d676 101009->101017 101020 51d7a5 101009->101020 101010->101009 101011 51d601 __ioinit @_EH4_CallFilterFunc@8 101010->101011 101011->100956 101012 51d86d 101106 51d87d RtlLeaveCriticalSection _doexit 101012->101106 101014 5187d5 __calloc_crt 58 API calls 101014->101017 101015 51d7f2 GetStdHandle 101015->101020 101016 51d805 GetFileType 101016->101020 101017->101014 101018 51d6c4 101017->101018 101017->101020 101019 51d6f8 GetFileType 101018->101019 101018->101020 101104 519e2b InitializeCriticalSectionAndSpinCount 101018->101104 101019->101018 101020->101012 101020->101015 101020->101016 101105 519e2b InitializeCriticalSectionAndSpinCount 101020->101105 101024 524f34 101023->101024 101025 517d06 101023->101025 101146 51881d 58 API calls 2 library calls 101024->101146 101029 524b1b GetModuleFileNameW 101025->101029 101027 524f5a _memmove 101028 524f70 FreeEnvironmentStringsW 101027->101028 101028->101025 101030 524b4f _wparse_cmdline 101029->101030 101032 524b8f _wparse_cmdline 101030->101032 101147 51881d 58 API calls 2 library calls 101030->101147 101032->100963 101034 524d69 101033->101034 101035 524d71 __NMSG_WRITE 101033->101035 101034->100967 101036 5187d5 __calloc_crt 58 API calls 101035->101036 101043 524d9a __NMSG_WRITE 101036->101043 101037 524df1 101038 512d55 _free 58 API calls 101037->101038 101038->101034 101039 5187d5 __calloc_crt 58 API calls 101039->101043 101040 524e16 101041 512d55 _free 58 API calls 101040->101041 101041->101034 101043->101034 101043->101037 101043->101039 101043->101040 101044 524e2d 101043->101044 101148 524607 58 API calls __wsopen_helper 101043->101148 101149 518dc6 IsProcessorFeaturePresent 101044->101149 101046 524e39 101046->100967 101048 5130fb __IsNonwritableInCurrentImage 101047->101048 101172 51a4d1 101048->101172 101050 513119 __initterm_e 101052 513138 __cinit __IsNonwritableInCurrentImage 101050->101052 101175 512d40 101050->101175 101052->100971 101054 4f47ea 101053->101054 101064 4f4889 101053->101064 101055 4f4824 74B1C8D0 101054->101055 101210 51336c 101055->101210 101059 4f4850 101222 4f48fd SystemParametersInfoW SystemParametersInfoW 101059->101222 101061 4f485c 101223 4f3b3a 101061->101223 101063 4f4864 SystemParametersInfoW 101063->101064 101064->100975 101065->100949 101066->100953 101067->100960 101071->100976 101072->100979 101073->100985 101074->100987 101075->100991 101076->100992 101078 5187dc 101077->101078 101080 518817 101078->101080 101082 5187fa 101078->101082 101086 5251f6 101078->101086 101080->100996 101083 519de6 TlsSetValue 101080->101083 101082->101078 101082->101080 101094 51a132 Sleep 101082->101094 101083->101000 101084->101003 101085->100999 101087 525201 101086->101087 101093 52521c 101086->101093 101088 52520d 101087->101088 101087->101093 101095 518b28 58 API calls __getptd_noexit 101088->101095 101089 52522c RtlAllocateHeap 101091 525212 101089->101091 101089->101093 101091->101078 101093->101089 101093->101091 101096 5133a1 RtlDecodePointer 101093->101096 101094->101082 101095->101091 101096->101093 101098 519c1c 101097->101098 101099 519c2f RtlEnterCriticalSection 101097->101099 101107 519c93 101098->101107 101099->101007 101101 519c22 101101->101099 101131 5130b5 58 API calls 3 library calls 101101->101131 101104->101018 101105->101020 101106->101011 101108 519c9f __ioinit 101107->101108 101109 519ca8 101108->101109 101111 519cc0 101108->101111 101132 51a16b 58 API calls __NMSG_WRITE 101109->101132 101112 519ce1 __ioinit 101111->101112 101135 51881d 58 API calls 2 library calls 101111->101135 101112->101101 101113 519cad 101133 51a1c8 58 API calls 6 library calls 101113->101133 101115 519cd5 101117 519ceb 101115->101117 101118 519cdc 101115->101118 101121 519c0b __lock 58 API calls 101117->101121 101136 518b28 58 API calls __getptd_noexit 101118->101136 101119 519cb4 101134 51309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101119->101134 101123 519cf2 101121->101123 101125 519d17 101123->101125 101126 519cff 101123->101126 101138 512d55 101125->101138 101137 519e2b InitializeCriticalSectionAndSpinCount 101126->101137 101129 519d0b 101144 519d33 RtlLeaveCriticalSection _doexit 101129->101144 101132->101113 101133->101119 101135->101115 101136->101112 101137->101129 101139 512d5e RtlFreeHeap 101138->101139 101143 512d87 __dosmaperr 101138->101143 101140 512d73 101139->101140 101139->101143 101145 518b28 58 API calls __getptd_noexit 101140->101145 101142 512d79 GetLastError 101142->101143 101143->101129 101144->101112 101145->101142 101146->101027 101147->101032 101148->101043 101150 518dd1 101149->101150 101155 518c59 101150->101155 101154 518dec 101154->101046 101156 518c73 _memset ___raise_securityfailure 101155->101156 101157 518c93 IsDebuggerPresent 101156->101157 101163 51a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 101157->101163 101160 518d7a 101162 51a140 GetCurrentProcess TerminateProcess 101160->101162 101161 518d57 ___raise_securityfailure 101164 51c5f6 101161->101164 101162->101154 101163->101161 101165 51c600 IsProcessorFeaturePresent 101164->101165 101166 51c5fe 101164->101166 101168 52590a 101165->101168 101166->101160 101171 5258b9 5 API calls 2 library calls 101168->101171 101170 5259ed 101170->101160 101171->101170 101173 51a4d4 RtlEncodePointer 101172->101173 101173->101173 101174 51a4ee 101173->101174 101174->101050 101178 512c44 101175->101178 101177 512d4b 101177->101052 101179 512c50 __ioinit 101178->101179 101186 513217 101179->101186 101185 512c77 __ioinit 101185->101177 101187 519c0b __lock 58 API calls 101186->101187 101188 512c59 101187->101188 101189 512c88 RtlDecodePointer RtlDecodePointer 101188->101189 101190 512c65 101189->101190 101191 512cb5 101189->101191 101200 512c82 101190->101200 101191->101190 101203 5187a4 59 API calls __wsopen_helper 101191->101203 101193 512d18 RtlEncodePointer RtlEncodePointer 101193->101190 101194 512cec 101194->101190 101198 512d06 RtlEncodePointer 101194->101198 101205 518864 61 API calls __realloc_crt 101194->101205 101195 512cc7 101195->101193 101195->101194 101204 518864 61 API calls __realloc_crt 101195->101204 101198->101193 101199 512d00 101199->101190 101199->101198 101206 513220 101200->101206 101203->101195 101204->101194 101205->101199 101209 519d75 RtlLeaveCriticalSection 101206->101209 101208 512c87 101208->101185 101209->101208 101211 519c0b __lock 58 API calls 101210->101211 101212 513377 RtlDecodePointer RtlEncodePointer 101211->101212 101275 519d75 RtlLeaveCriticalSection 101212->101275 101214 4f4849 101215 5133d4 101214->101215 101216 5133f8 101215->101216 101217 5133de 101215->101217 101216->101059 101217->101216 101276 518b28 58 API calls __getptd_noexit 101217->101276 101219 5133e8 101277 518db6 9 API calls __wsopen_helper 101219->101277 101221 5133f3 101221->101059 101222->101061 101224 4f3b47 __write_nolock 101223->101224 101278 4f7667 101224->101278 101228 4f3b7a IsDebuggerPresent 101229 52d272 MessageBoxA 101228->101229 101230 4f3b88 101228->101230 101233 52d28c 101229->101233 101231 4f3c61 101230->101231 101230->101233 101234 4f3ba5 101230->101234 101232 4f3c68 SetCurrentDirectoryW 101231->101232 101236 4f3c75 Mailbox 101232->101236 101502 4f7213 59 API calls Mailbox 101233->101502 101364 4f7285 101234->101364 101236->101063 101238 52d29c 101243 52d2b2 SetCurrentDirectoryW 101238->101243 101240 4f3bc3 GetFullPathNameW 101380 4f7bcc 101240->101380 101242 4f3bfe 101389 50092d 101242->101389 101243->101236 101246 4f3c1c 101247 4f3c26 101246->101247 101503 54874b AllocateAndInitializeSid CheckTokenMembership FreeSid 101246->101503 101405 4f3a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 101247->101405 101250 52d2cf 101250->101247 101253 52d2e0 101250->101253 101504 4f4706 101253->101504 101254 4f3c30 101256 4f3c43 101254->101256 101413 4f434a 101254->101413 101424 5009d0 101256->101424 101258 52d2e8 101511 4f7de1 101258->101511 101260 4f3c4e 101260->101231 101501 4f443a Shell_NotifyIconW _memset 101260->101501 101262 52d2f5 101264 52d324 101262->101264 101265 52d2ff 101262->101265 101266 4f7cab 59 API calls 101264->101266 101515 4f7cab 101265->101515 101269 52d320 GetForegroundWindow ShellExecuteW 101266->101269 101275->101214 101276->101219 101277->101221 101531 510db6 101278->101531 101280 4f7688 101281 510db6 Mailbox 59 API calls 101280->101281 101282 4f3b51 GetCurrentDirectoryW 101281->101282 101283 4f3766 101282->101283 101284 4f7667 59 API calls 101283->101284 101285 4f377c 101284->101285 101569 4f3d31 101285->101569 101287 4f379a 101288 4f4706 61 API calls 101287->101288 101289 4f37ae 101288->101289 101290 4f7de1 59 API calls 101289->101290 101291 4f37bb 101290->101291 101583 4f4ddd 101291->101583 101294 52d173 101654 55955b 101294->101654 101295 4f37dc Mailbox 101607 4f8047 101295->101607 101298 52d192 101301 512d55 _free 58 API calls 101298->101301 101303 52d19f 101301->101303 101305 4f4e4a 84 API calls 101303->101305 101307 52d1a8 101305->101307 101311 4f3ed0 59 API calls 101307->101311 101308 4f7de1 59 API calls 101309 4f3808 101308->101309 101614 4f84c0 101309->101614 101313 52d1c3 101311->101313 101312 4f381a Mailbox 101314 4f7de1 59 API calls 101312->101314 101315 4f3ed0 59 API calls 101313->101315 101316 4f3840 101314->101316 101317 52d1df 101315->101317 101318 4f84c0 69 API calls 101316->101318 101319 4f4706 61 API calls 101317->101319 101321 4f384f Mailbox 101318->101321 101320 52d204 101319->101320 101322 4f3ed0 59 API calls 101320->101322 101324 4f7667 59 API calls 101321->101324 101323 52d210 101322->101323 101325 4f8047 59 API calls 101323->101325 101326 4f386d 101324->101326 101327 52d21e 101325->101327 101618 4f3ed0 101326->101618 101329 4f3ed0 59 API calls 101327->101329 101331 52d22d 101329->101331 101337 4f8047 59 API calls 101331->101337 101333 4f3887 101333->101307 101334 4f3891 101333->101334 101335 512efd _W_store_winword 60 API calls 101334->101335 101336 4f389c 101335->101336 101336->101313 101338 4f38a6 101336->101338 101339 52d24f 101337->101339 101340 512efd _W_store_winword 60 API calls 101338->101340 101341 4f3ed0 59 API calls 101339->101341 101342 4f38b1 101340->101342 101343 52d25c 101341->101343 101342->101317 101344 4f38bb 101342->101344 101343->101343 101345 512efd _W_store_winword 60 API calls 101344->101345 101346 4f38c6 101345->101346 101346->101331 101347 4f3907 101346->101347 101349 4f3ed0 59 API calls 101346->101349 101347->101331 101348 4f3914 101347->101348 101634 4f92ce 101348->101634 101351 4f38ea 101349->101351 101353 4f8047 59 API calls 101351->101353 101355 4f38f8 101353->101355 101357 4f3ed0 59 API calls 101355->101357 101357->101347 101359 4f928a 59 API calls 101361 4f394f 101359->101361 101360 4f8ee0 60 API calls 101360->101361 101361->101359 101361->101360 101362 4f3ed0 59 API calls 101361->101362 101363 4f3995 Mailbox 101361->101363 101362->101361 101363->101228 101365 4f7292 __write_nolock 101364->101365 101366 52ea22 _memset 101365->101366 101367 4f72ab 101365->101367 101369 52ea3e 762ED0D0 101366->101369 102523 4f4750 101367->102523 101371 52ea8d 101369->101371 101374 4f7bcc 59 API calls 101371->101374 101376 52eaa2 101374->101376 101376->101376 101377 4f72c9 102551 4f686a 101377->102551 101381 4f7bd8 __NMSG_WRITE 101380->101381 101382 4f7c45 101380->101382 101385 4f7bee 101381->101385 101386 4f7c13 101381->101386 101383 4f7d2c 59 API calls 101382->101383 101384 4f7bf6 _memmove 101383->101384 101384->101242 101387 4f7f27 59 API calls 101385->101387 101388 4f8029 59 API calls 101386->101388 101387->101384 101388->101384 101390 50093a __write_nolock 101389->101390 102813 4f6d80 101390->102813 101392 50093f 101393 4f3c14 101392->101393 102824 50119e 89 API calls 101392->102824 101393->101238 101393->101246 101395 50094c 101395->101393 102825 503ee7 91 API calls Mailbox 101395->102825 101397 500955 101397->101393 101398 500959 GetFullPathNameW 101397->101398 101399 4f7bcc 59 API calls 101398->101399 101400 500985 101399->101400 101401 4f7bcc 59 API calls 101400->101401 101402 500992 101401->101402 101403 534cab _wcscat 101402->101403 101404 4f7bcc 59 API calls 101402->101404 101404->101393 101406 52d261 101405->101406 101407 4f3ab0 LoadImageW RegisterClassExW 101405->101407 102871 4f47a0 LoadImageW EnumResourceNamesW 101406->102871 102867 4f3041 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 101407->102867 101411 52d26a 101412 4f39d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 101412->101254 101414 4f4375 _memset 101413->101414 102872 4f4182 101414->102872 101417 4f43fa 101419 4f4414 Shell_NotifyIconW 101417->101419 101420 4f4430 Shell_NotifyIconW 101417->101420 101421 4f4422 101419->101421 101420->101421 102876 4f407c 101421->102876 101423 4f4429 101423->101256 101425 534cc3 101424->101425 101439 5009f5 101424->101439 103034 559e4a 89 API calls 4 library calls 101425->103034 101427 500cfa 101427->101260 101429 500ee4 101429->101427 101431 500ef1 101429->101431 103032 501093 331 API calls Mailbox 101431->103032 101432 500a4b PeekMessageW 101500 500a05 Mailbox 101432->101500 101434 500ef8 LockWindowUpdate DestroyWindow GetMessageW 101434->101427 101436 534e81 Sleep 101436->101500 101438 500ce4 101438->101427 103031 501070 10 API calls Mailbox 101438->103031 101439->101500 103035 4f9e5d 60 API calls 101439->103035 103036 546349 331 API calls 101439->103036 101443 500e43 PeekMessageW 101443->101500 101444 500ea5 TranslateMessage DispatchMessageW 101444->101443 101445 534d50 TranslateAcceleratorW 101445->101443 101445->101500 101446 4f9e5d 60 API calls 101446->101500 101447 500d13 timeGetTime 101447->101500 101448 53581f WaitForSingleObject 101450 53583c GetExitCodeProcess CloseHandle 101448->101450 101448->101500 101485 500f95 101450->101485 101451 500e5f Sleep 101486 500e70 Mailbox 101451->101486 101452 4f8047 59 API calls 101452->101500 101453 4f7667 59 API calls 101453->101486 101454 535af8 Sleep 101454->101486 101456 510db6 59 API calls Mailbox 101456->101500 101457 4fb73c 304 API calls 101457->101500 101459 51049f timeGetTime 101459->101486 101460 500f4e timeGetTime 103033 4f9e5d 60 API calls 101460->103033 101463 535b8f GetExitCodeProcess 101467 535ba5 WaitForSingleObject 101463->101467 101468 535bbb CloseHandle 101463->101468 101465 575f25 110 API calls 101465->101486 101466 4fb7dd 109 API calls 101466->101486 101467->101468 101467->101500 101468->101486 101471 535874 101471->101485 101472 535078 Sleep 101472->101500 101473 535c17 Sleep 101473->101500 101475 4f7de1 59 API calls 101475->101486 101479 4f9ea0 304 API calls 101479->101500 101485->101260 101486->101453 101486->101459 101486->101463 101486->101465 101486->101466 101486->101471 101486->101472 101486->101473 101486->101475 101486->101485 101486->101500 103061 552408 60 API calls 101486->103061 103062 4f9e5d 60 API calls 101486->103062 103063 4f89b3 69 API calls Mailbox 101486->103063 103064 4fb73c 331 API calls 101486->103064 103065 5464da 60 API calls 101486->103065 103066 555244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101486->103066 103067 553c55 66 API calls Mailbox 101486->103067 101487 559e4a 89 API calls 101487->101500 101488 4f84c0 69 API calls 101488->101500 101490 4f9c90 59 API calls Mailbox 101490->101500 101491 54617e 59 API calls Mailbox 101491->101500 101493 4f7de1 59 API calls 101493->101500 101494 4f89b3 69 API calls 101494->101500 101495 5355d5 VariantClear 101495->101500 101496 546e8f 59 API calls 101496->101500 101497 53566b VariantClear 101497->101500 101498 535419 VariantClear 101498->101500 101499 4f8cd4 59 API calls Mailbox 101499->101500 101500->101432 101500->101436 101500->101438 101500->101443 101500->101444 101500->101445 101500->101446 101500->101447 101500->101448 101500->101451 101500->101452 101500->101454 101500->101456 101500->101457 101500->101460 101500->101479 101500->101485 101500->101486 101500->101487 101500->101488 101500->101490 101500->101491 101500->101493 101500->101494 101500->101495 101500->101496 101500->101497 101500->101498 101500->101499 102899 4fe6a0 101500->102899 102930 4ff460 101500->102930 102949 4ffce0 101500->102949 103029 4fe420 331 API calls 101500->103029 103030 4f31ce IsDialogMessageW GetClassLongW 101500->103030 103037 576018 59 API calls 101500->103037 103038 559a15 59 API calls Mailbox 101500->103038 103039 54d4f2 59 API calls 101500->103039 103040 4f9837 101500->103040 103058 5460ef 59 API calls 2 library calls 101500->103058 103059 4f8401 59 API calls 101500->103059 103060 4f82df 59 API calls Mailbox 101500->103060 101501->101231 101502->101238 101503->101250 101505 521940 __write_nolock 101504->101505 101506 4f4713 GetModuleFileNameW 101505->101506 101507 4f7de1 59 API calls 101506->101507 101508 4f4739 101507->101508 101509 4f4750 60 API calls 101508->101509 101510 4f4743 Mailbox 101509->101510 101510->101258 101512 4f7df0 __NMSG_WRITE _memmove 101511->101512 101513 510db6 Mailbox 59 API calls 101512->101513 101514 4f7e2e 101513->101514 101514->101262 101516 4f7cbf 101515->101516 101517 52ed4a 101515->101517 101534 510dbe 101531->101534 101533 510dd8 101533->101280 101534->101533 101536 510ddc std::exception::exception 101534->101536 101541 51571c 101534->101541 101558 5133a1 RtlDecodePointer 101534->101558 101559 51859b RaiseException 101536->101559 101538 510e06 101560 5184d1 58 API calls _free 101538->101560 101540 510e18 101540->101280 101542 515797 101541->101542 101549 515728 101541->101549 101567 5133a1 RtlDecodePointer 101542->101567 101544 51579d 101568 518b28 58 API calls __getptd_noexit 101544->101568 101547 51575b RtlAllocateHeap 101547->101549 101557 51578f 101547->101557 101549->101547 101550 515733 101549->101550 101551 515783 101549->101551 101555 515781 101549->101555 101564 5133a1 RtlDecodePointer 101549->101564 101550->101549 101561 51a16b 58 API calls __NMSG_WRITE 101550->101561 101562 51a1c8 58 API calls 6 library calls 101550->101562 101563 51309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101550->101563 101565 518b28 58 API calls __getptd_noexit 101551->101565 101566 518b28 58 API calls __getptd_noexit 101555->101566 101557->101534 101558->101534 101559->101538 101560->101540 101561->101550 101562->101550 101564->101549 101565->101555 101566->101557 101567->101544 101568->101557 101570 4f3d3e __write_nolock 101569->101570 101571 4f7bcc 59 API calls 101570->101571 101576 4f3ea4 Mailbox 101570->101576 101573 4f3d70 101571->101573 101580 4f3da6 Mailbox 101573->101580 101695 4f79f2 101573->101695 101574 4f79f2 59 API calls 101574->101580 101575 4f3e77 101575->101576 101577 4f7de1 59 API calls 101575->101577 101576->101287 101579 4f3e98 101577->101579 101578 4f7de1 59 API calls 101578->101580 101581 4f3f74 59 API calls 101579->101581 101580->101574 101580->101575 101580->101576 101580->101578 101698 4f3f74 101580->101698 101581->101576 101708 4f4bb5 101583->101708 101588 52d8e6 101590 4f4e4a 84 API calls 101588->101590 101589 4f4e08 LoadLibraryExW 101718 4f4b6a 101589->101718 101592 52d8ed 101590->101592 101594 4f4b6a 3 API calls 101592->101594 101596 52d8f5 101594->101596 101744 4f4f0b 101596->101744 101597 4f4e2f 101597->101596 101598 4f4e3b 101597->101598 101599 4f4e4a 84 API calls 101598->101599 101601 4f37d4 101599->101601 101601->101294 101601->101295 101604 52d91c 101752 4f4ec7 101604->101752 101606 52d929 101608 4f37ef 101607->101608 101609 4f8052 101607->101609 101611 4f928a 101608->101611 102181 4f7f77 59 API calls 2 library calls 101609->102181 101612 510db6 Mailbox 59 API calls 101611->101612 101613 4f37fb 101612->101613 101613->101308 101615 4f84cb 101614->101615 101617 4f84f2 101615->101617 102182 4f89b3 69 API calls Mailbox 101615->102182 101617->101312 101619 4f3eda 101618->101619 101620 4f3ef3 101618->101620 101621 4f8047 59 API calls 101619->101621 101622 4f7bcc 59 API calls 101620->101622 101623 4f3879 101621->101623 101622->101623 101624 512efd 101623->101624 101625 512f7e 101624->101625 101626 512f09 101624->101626 102185 512f90 60 API calls 3 library calls 101625->102185 101633 512f2e 101626->101633 102183 518b28 58 API calls __getptd_noexit 101626->102183 101629 512f8b 101629->101333 101630 512f15 102184 518db6 9 API calls __wsopen_helper 101630->102184 101632 512f20 101632->101333 101633->101333 101635 4f92d6 101634->101635 101636 510db6 Mailbox 59 API calls 101635->101636 101637 4f92e4 101636->101637 101638 4f3924 101637->101638 102186 4f91fc 59 API calls Mailbox 101637->102186 101640 4f9050 101638->101640 102187 4f9160 101640->102187 101642 4f905f 101643 510db6 Mailbox 59 API calls 101642->101643 101644 4f3932 101642->101644 101643->101644 101645 4f8ee0 101644->101645 101646 52f17c 101645->101646 101648 4f8ef7 101645->101648 101646->101648 102197 4f8bdb 59 API calls Mailbox 101646->102197 101649 4f8ff8 101648->101649 101650 4f9040 101648->101650 101653 4f8fff 101648->101653 101652 510db6 Mailbox 59 API calls 101649->101652 102196 4f9d3c 60 API calls Mailbox 101650->102196 101652->101653 101653->101361 101655 4f4ee5 85 API calls 101654->101655 101656 5595ca 101655->101656 102198 559734 101656->102198 101659 4f4f0b 74 API calls 101660 5595f7 101659->101660 101661 4f4f0b 74 API calls 101660->101661 101662 559607 101661->101662 101663 4f4f0b 74 API calls 101662->101663 101664 559622 101663->101664 101665 4f4f0b 74 API calls 101664->101665 101666 55963d 101665->101666 101667 4f4ee5 85 API calls 101666->101667 101668 559654 101667->101668 101669 51571c __crtLCMapStringA_stat 58 API calls 101668->101669 101670 55965b 101669->101670 101671 51571c __crtLCMapStringA_stat 58 API calls 101670->101671 101672 559665 101671->101672 101673 4f4f0b 74 API calls 101672->101673 101674 559679 101673->101674 101675 559109 GetSystemTimeAsFileTime 101674->101675 101676 55968c 101675->101676 101677 5596b6 101676->101677 101678 5596a1 101676->101678 101679 5596bc 101677->101679 101680 55971b 101677->101680 101681 512d55 _free 58 API calls 101678->101681 102204 558b06 101679->102204 101684 512d55 _free 58 API calls 101680->101684 101682 5596a7 101681->101682 101685 512d55 _free 58 API calls 101682->101685 101687 52d186 101684->101687 101685->101687 101687->101298 101689 4f4e4a 101687->101689 101688 512d55 _free 58 API calls 101688->101687 101690 4f4e5b 101689->101690 101691 4f4e54 101689->101691 101693 4f4e7b FreeLibrary 101690->101693 101694 4f4e6a 101690->101694 101692 5153a6 __fcloseall 83 API calls 101691->101692 101692->101690 101693->101694 101694->101298 101704 4f7e4f 101695->101704 101697 4f79fd 101697->101573 101699 4f3f82 101698->101699 101703 4f3fa4 _memmove 101698->101703 101701 510db6 Mailbox 59 API calls 101699->101701 101700 510db6 Mailbox 59 API calls 101702 4f3fb8 101700->101702 101701->101703 101702->101580 101703->101700 101705 4f7e62 101704->101705 101707 4f7e5f _memmove 101704->101707 101706 510db6 Mailbox 59 API calls 101705->101706 101706->101707 101707->101697 101757 4f4c03 101708->101757 101711 4f4c03 2 API calls 101714 4f4bdc 101711->101714 101712 4f4bec FreeLibrary 101713 4f4bf5 101712->101713 101715 51525b 101713->101715 101714->101712 101714->101713 101761 515270 101715->101761 101717 4f4dfc 101717->101588 101717->101589 101918 4f4c36 101718->101918 101721 4f4c36 2 API calls 101724 4f4b8f 101721->101724 101722 4f4baa 101725 4f4c70 101722->101725 101723 4f4ba1 FreeLibrary 101723->101722 101724->101722 101724->101723 101726 510db6 Mailbox 59 API calls 101725->101726 101727 4f4c85 101726->101727 101922 4f522e 101727->101922 101729 4f4c91 _memmove 101730 4f4ccc 101729->101730 101732 4f4d89 101729->101732 101733 4f4dc1 101729->101733 101731 4f4ec7 69 API calls 101730->101731 101736 4f4cd5 101731->101736 101925 4f4e89 CreateStreamOnHGlobal 101732->101925 101936 55991b 95 API calls 101733->101936 101737 4f4f0b 74 API calls 101736->101737 101739 52d8a7 101736->101739 101743 4f4d69 101736->101743 101931 4f4ee5 101736->101931 101737->101736 101740 4f4ee5 85 API calls 101739->101740 101741 52d8bb 101740->101741 101742 4f4f0b 74 API calls 101741->101742 101742->101743 101743->101597 101745 4f4f1d 101744->101745 101746 52d9cd 101744->101746 101960 5155e2 101745->101960 101749 559109 102158 558f5f 101749->102158 101751 55911f 101751->101604 101753 4f4ed6 101752->101753 101756 52d990 101752->101756 102163 515c60 101753->102163 101755 4f4ede 101755->101606 101758 4f4bd0 101757->101758 101759 4f4c0c LoadLibraryA 101757->101759 101758->101711 101758->101714 101759->101758 101760 4f4c1d GetProcAddress 101759->101760 101760->101758 101764 51527c __ioinit 101761->101764 101762 51528f 101810 518b28 58 API calls __getptd_noexit 101762->101810 101764->101762 101766 5152c0 101764->101766 101765 515294 101811 518db6 9 API calls __wsopen_helper 101765->101811 101780 5204e8 101766->101780 101769 5152c5 101770 5152db 101769->101770 101771 5152ce 101769->101771 101773 515305 101770->101773 101774 5152e5 101770->101774 101812 518b28 58 API calls __getptd_noexit 101771->101812 101795 520607 101773->101795 101813 518b28 58 API calls __getptd_noexit 101774->101813 101775 51529f __ioinit @_EH4_CallFilterFunc@8 101775->101717 101781 5204f4 __ioinit 101780->101781 101782 519c0b __lock 58 API calls 101781->101782 101789 520502 101782->101789 101783 520576 101815 5205fe 101783->101815 101784 52057d 101820 51881d 58 API calls 2 library calls 101784->101820 101787 520584 101787->101783 101821 519e2b InitializeCriticalSectionAndSpinCount 101787->101821 101788 5205f3 __ioinit 101788->101769 101789->101783 101789->101784 101791 519c93 __mtinitlocknum 58 API calls 101789->101791 101818 516c50 59 API calls __lock 101789->101818 101819 516cba RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 101789->101819 101791->101789 101793 5205aa RtlEnterCriticalSection 101793->101783 101796 520627 __wopenfile 101795->101796 101797 520641 101796->101797 101809 5207fc 101796->101809 101828 5137cb 60 API calls 2 library calls 101796->101828 101826 518b28 58 API calls __getptd_noexit 101797->101826 101799 520646 101827 518db6 9 API calls __wsopen_helper 101799->101827 101801 515310 101814 515332 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 101801->101814 101802 52085f 101823 5285a1 101802->101823 101805 5207f5 101805->101809 101829 5137cb 60 API calls 2 library calls 101805->101829 101807 520814 101807->101809 101830 5137cb 60 API calls 2 library calls 101807->101830 101809->101797 101809->101802 101810->101765 101811->101775 101812->101775 101813->101775 101814->101775 101822 519d75 RtlLeaveCriticalSection 101815->101822 101817 520605 101817->101788 101818->101789 101819->101789 101820->101787 101821->101793 101822->101817 101831 527d85 101823->101831 101825 5285ba 101825->101801 101826->101799 101827->101801 101828->101805 101829->101807 101830->101809 101832 527d91 __ioinit 101831->101832 101833 527da7 101832->101833 101835 527ddd 101832->101835 101915 518b28 58 API calls __getptd_noexit 101833->101915 101842 527e4e 101835->101842 101836 527dac 101916 518db6 9 API calls __wsopen_helper 101836->101916 101839 527df9 101917 527e22 RtlLeaveCriticalSection __unlock_fhandle 101839->101917 101841 527db6 __ioinit 101841->101825 101843 527e6e 101842->101843 101844 5144ea __wsopen_nolock 58 API calls 101843->101844 101847 527e8a 101844->101847 101845 518dc6 __invoke_watson 8 API calls 101846 5285a0 101845->101846 101849 527d85 __wsopen_helper 103 API calls 101846->101849 101848 527ec4 101847->101848 101860 527ee7 101847->101860 101914 527fc1 101847->101914 101850 518af4 __read_nolock 58 API calls 101848->101850 101851 5285ba 101849->101851 101852 527ec9 101850->101852 101851->101839 101853 518b28 __wsopen_helper 58 API calls 101852->101853 101854 527ed6 101853->101854 101856 518db6 __wsopen_helper 9 API calls 101854->101856 101855 527fa5 101857 518af4 __read_nolock 58 API calls 101855->101857 101858 527ee0 101856->101858 101859 527faa 101857->101859 101858->101839 101861 518b28 __wsopen_helper 58 API calls 101859->101861 101860->101855 101864 527f83 101860->101864 101862 527fb7 101861->101862 101863 518db6 __wsopen_helper 9 API calls 101862->101863 101863->101914 101865 51d294 __alloc_osfhnd 61 API calls 101864->101865 101866 528051 101865->101866 101867 52805b 101866->101867 101868 52807e 101866->101868 101869 518af4 __read_nolock 58 API calls 101867->101869 101870 527cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101868->101870 101871 528060 101869->101871 101881 5280a0 101870->101881 101872 518b28 __wsopen_helper 58 API calls 101871->101872 101874 52806a 101872->101874 101873 52811e GetFileType 101875 52816b 101873->101875 101876 528129 GetLastError 101873->101876 101879 518b28 __wsopen_helper 58 API calls 101874->101879 101885 51d52a __set_osfhnd 59 API calls 101875->101885 101880 518b07 __dosmaperr 58 API calls 101876->101880 101877 5280ec GetLastError 101878 518b07 __dosmaperr 58 API calls 101877->101878 101882 528111 101878->101882 101879->101858 101883 528150 CloseHandle 101880->101883 101881->101873 101881->101877 101884 527cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101881->101884 101888 518b28 __wsopen_helper 58 API calls 101882->101888 101883->101882 101886 52815e 101883->101886 101887 5280e1 101884->101887 101891 528189 101885->101891 101889 518b28 __wsopen_helper 58 API calls 101886->101889 101887->101873 101887->101877 101888->101914 101890 528163 101889->101890 101890->101882 101892 528344 101891->101892 101893 5218c1 __lseeki64_nolock 60 API calls 101891->101893 101897 52820a 101891->101897 101894 528517 CloseHandle 101892->101894 101892->101914 101895 5281f3 101893->101895 101896 527cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101894->101896 101895->101897 101899 518af4 __read_nolock 58 API calls 101895->101899 101898 52853e 101896->101898 101897->101892 101903 520e5b 70 API calls __read_nolock 101897->101903 101904 520add __close_nolock 61 API calls 101897->101904 101905 5297a2 __chsize_nolock 82 API calls 101897->101905 101907 5218c1 60 API calls __lseeki64_nolock 101897->101907 101909 51d886 __write 78 API calls 101897->101909 101910 5283c1 101897->101910 101900 528546 GetLastError 101898->101900 101908 528572 101898->101908 101899->101897 101901 518b07 __dosmaperr 58 API calls 101900->101901 101902 528552 101901->101902 101906 51d43d __free_osfhnd 59 API calls 101902->101906 101903->101897 101904->101897 101905->101897 101906->101908 101907->101897 101908->101914 101909->101897 101911 520add __close_nolock 61 API calls 101910->101911 101912 5283c8 101911->101912 101913 518b28 __wsopen_helper 58 API calls 101912->101913 101913->101914 101914->101845 101915->101836 101916->101841 101917->101841 101919 4f4b83 101918->101919 101920 4f4c3f LoadLibraryA 101918->101920 101919->101721 101919->101724 101920->101919 101921 4f4c50 GetProcAddress 101920->101921 101921->101919 101923 510db6 Mailbox 59 API calls 101922->101923 101924 4f5240 101923->101924 101924->101729 101926 4f4ea3 FindResourceExW 101925->101926 101930 4f4ec0 101925->101930 101927 52d933 LoadResource 101926->101927 101926->101930 101928 52d948 SizeofResource 101927->101928 101927->101930 101929 52d95c LockResource 101928->101929 101928->101930 101929->101930 101930->101730 101932 52d9ab 101931->101932 101933 4f4ef4 101931->101933 101937 51584d 101933->101937 101935 4f4f02 101935->101736 101936->101730 101938 515859 __ioinit 101937->101938 101939 51586b 101938->101939 101941 515891 101938->101941 101950 518b28 58 API calls __getptd_noexit 101939->101950 101952 516c11 101941->101952 101943 515870 101951 518db6 9 API calls __wsopen_helper 101943->101951 101944 515897 101958 5157be 83 API calls 5 library calls 101944->101958 101947 5158a6 101959 5158c8 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 101947->101959 101949 51587b __ioinit 101949->101935 101950->101943 101951->101949 101953 516c21 101952->101953 101954 516c43 RtlEnterCriticalSection 101952->101954 101953->101954 101955 516c29 101953->101955 101956 516c39 101954->101956 101957 519c0b __lock 58 API calls 101955->101957 101956->101944 101957->101956 101958->101947 101959->101949 101963 5155fd 101960->101963 101962 4f4f2e 101962->101749 101964 515609 __ioinit 101963->101964 101965 51564c 101964->101965 101966 51561f _memset 101964->101966 101967 515644 __ioinit 101964->101967 101968 516c11 __lock_file 59 API calls 101965->101968 101990 518b28 58 API calls __getptd_noexit 101966->101990 101967->101962 101969 515652 101968->101969 101976 51541d 101969->101976 101972 515639 101991 518db6 9 API calls __wsopen_helper 101972->101991 101980 515438 _memset 101976->101980 101982 515453 101976->101982 101977 515443 102088 518b28 58 API calls __getptd_noexit 101977->102088 101979 515448 102089 518db6 9 API calls __wsopen_helper 101979->102089 101980->101977 101980->101982 101985 515493 101980->101985 101992 515686 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 101982->101992 101984 5155a4 _memset 102091 518b28 58 API calls __getptd_noexit 101984->102091 101985->101982 101985->101984 101993 5146e6 101985->101993 102000 520e5b 101985->102000 102068 520ba7 101985->102068 102090 520cc8 58 API calls 3 library calls 101985->102090 101990->101972 101991->101967 101992->101967 101994 5146f0 101993->101994 101995 514705 101993->101995 102092 518b28 58 API calls __getptd_noexit 101994->102092 101995->101985 101997 5146f5 102093 518db6 9 API calls __wsopen_helper 101997->102093 101999 514700 101999->101985 102001 520e93 102000->102001 102002 520e7c 102000->102002 102004 5215cb 102001->102004 102008 520ecd 102001->102008 102103 518af4 58 API calls __getptd_noexit 102002->102103 102119 518af4 58 API calls __getptd_noexit 102004->102119 102005 520e81 102104 518b28 58 API calls __getptd_noexit 102005->102104 102010 520ed5 102008->102010 102017 520eec 102008->102017 102009 5215d0 102120 518b28 58 API calls __getptd_noexit 102009->102120 102105 518af4 58 API calls __getptd_noexit 102010->102105 102013 520ee1 102121 518db6 9 API calls __wsopen_helper 102013->102121 102014 520eda 102106 518b28 58 API calls __getptd_noexit 102014->102106 102016 520f01 102107 518af4 58 API calls __getptd_noexit 102016->102107 102017->102016 102019 520f1b 102017->102019 102021 520f39 102017->102021 102048 520e88 102017->102048 102019->102016 102024 520f26 102019->102024 102108 51881d 58 API calls 2 library calls 102021->102108 102094 525c6b 102024->102094 102025 520f49 102027 520f51 102025->102027 102028 520f6c 102025->102028 102026 52103a 102030 5210b3 ReadFile 102026->102030 102035 521050 GetConsoleMode 102026->102035 102109 518b28 58 API calls __getptd_noexit 102027->102109 102111 5218c1 60 API calls 3 library calls 102028->102111 102033 521593 GetLastError 102030->102033 102034 5210d5 102030->102034 102032 520f56 102110 518af4 58 API calls __getptd_noexit 102032->102110 102037 5215a0 102033->102037 102038 521093 102033->102038 102034->102033 102042 5210a5 102034->102042 102039 5210b0 102035->102039 102040 521064 102035->102040 102117 518b28 58 API calls __getptd_noexit 102037->102117 102053 521099 102038->102053 102112 518b07 58 API calls 3 library calls 102038->102112 102039->102030 102040->102039 102043 52106a ReadConsoleW 102040->102043 102050 521377 102042->102050 102052 52110a 102042->102052 102042->102053 102043->102042 102045 52108d GetLastError 102043->102045 102044 5215a5 102118 518af4 58 API calls __getptd_noexit 102044->102118 102045->102038 102048->101985 102049 512d55 _free 58 API calls 102049->102048 102050->102053 102056 52147d ReadFile 102050->102056 102051 5211f7 102051->102053 102058 5212b4 102051->102058 102059 5212a4 102051->102059 102063 521264 MultiByteToWideChar 102051->102063 102052->102051 102055 521176 ReadFile 102052->102055 102053->102048 102053->102049 102057 521197 GetLastError 102055->102057 102066 5211a1 102055->102066 102061 5214a0 GetLastError 102056->102061 102067 5214ae 102056->102067 102057->102066 102058->102063 102115 5218c1 60 API calls 3 library calls 102058->102115 102114 518b28 58 API calls __getptd_noexit 102059->102114 102061->102067 102063->102045 102063->102053 102066->102052 102113 5218c1 60 API calls 3 library calls 102066->102113 102067->102050 102116 5218c1 60 API calls 3 library calls 102067->102116 102069 520bb2 102068->102069 102072 520bc7 102068->102072 102155 518b28 58 API calls __getptd_noexit 102069->102155 102071 520bb7 102156 518db6 9 API calls __wsopen_helper 102071->102156 102074 520bfc 102072->102074 102082 520bc2 102072->102082 102157 525fe4 58 API calls __malloc_crt 102072->102157 102076 5146e6 __fflush_nolock 58 API calls 102074->102076 102077 520c10 102076->102077 102122 520d47 102077->102122 102079 520c17 102080 5146e6 __fflush_nolock 58 API calls 102079->102080 102079->102082 102081 520c3a 102080->102081 102081->102082 102083 5146e6 __fflush_nolock 58 API calls 102081->102083 102082->101985 102084 520c46 102083->102084 102084->102082 102085 5146e6 __fflush_nolock 58 API calls 102084->102085 102086 520c53 102085->102086 102087 5146e6 __fflush_nolock 58 API calls 102086->102087 102087->102082 102088->101979 102089->101982 102090->101985 102091->101979 102092->101997 102093->101999 102095 525c83 102094->102095 102096 525c76 102094->102096 102098 525c8f 102095->102098 102099 518b28 __wsopen_helper 58 API calls 102095->102099 102097 518b28 __wsopen_helper 58 API calls 102096->102097 102100 525c7b 102097->102100 102098->102026 102101 525cb0 102099->102101 102100->102026 102102 518db6 __wsopen_helper 9 API calls 102101->102102 102102->102100 102103->102005 102104->102048 102105->102014 102106->102013 102107->102014 102108->102025 102109->102032 102110->102048 102111->102024 102112->102053 102113->102066 102114->102053 102115->102063 102116->102067 102117->102044 102118->102053 102119->102009 102120->102013 102121->102048 102123 520d53 __ioinit 102122->102123 102124 520d60 102123->102124 102125 520d77 102123->102125 102126 518af4 __read_nolock 58 API calls 102124->102126 102127 520e3b 102125->102127 102130 520d8b 102125->102130 102129 520d65 102126->102129 102128 518af4 __read_nolock 58 API calls 102127->102128 102131 520dae 102128->102131 102132 518b28 __wsopen_helper 58 API calls 102129->102132 102133 520db6 102130->102133 102134 520da9 102130->102134 102141 518b28 __wsopen_helper 58 API calls 102131->102141 102135 520d6c __ioinit 102132->102135 102137 520dc3 102133->102137 102138 520dd8 102133->102138 102136 518af4 __read_nolock 58 API calls 102134->102136 102135->102079 102136->102131 102139 518af4 __read_nolock 58 API calls 102137->102139 102140 51d206 ___lock_fhandle 59 API calls 102138->102140 102142 520dc8 102139->102142 102143 520dde 102140->102143 102147 520dd0 102141->102147 102144 518b28 __wsopen_helper 58 API calls 102142->102144 102145 520df1 102143->102145 102146 520e04 102143->102146 102144->102147 102148 520e5b __read_nolock 70 API calls 102145->102148 102150 518b28 __wsopen_helper 58 API calls 102146->102150 102149 518db6 __wsopen_helper 9 API calls 102147->102149 102151 520dfd 102148->102151 102149->102135 102152 520e09 102150->102152 102154 520e33 __read RtlLeaveCriticalSection 102151->102154 102153 518af4 __read_nolock 58 API calls 102152->102153 102153->102151 102154->102135 102155->102071 102156->102082 102157->102074 102161 51520a GetSystemTimeAsFileTime 102158->102161 102160 558f6e 102160->101751 102162 515238 __aulldiv 102161->102162 102162->102160 102164 515c6c __ioinit 102163->102164 102165 515c93 102164->102165 102166 515c7e 102164->102166 102168 516c11 __lock_file 59 API calls 102165->102168 102177 518b28 58 API calls __getptd_noexit 102166->102177 102170 515c99 102168->102170 102169 515c83 102178 518db6 9 API calls __wsopen_helper 102169->102178 102179 5158d0 67 API calls 6 library calls 102170->102179 102173 515ca4 102180 515cc4 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 102173->102180 102175 515cb6 102176 515c8e __ioinit 102175->102176 102176->101755 102177->102169 102178->102176 102179->102173 102180->102175 102181->101608 102182->101617 102183->101630 102184->101632 102185->101629 102186->101638 102188 4f9169 Mailbox 102187->102188 102189 52f19f 102188->102189 102193 4f9173 102188->102193 102190 510db6 Mailbox 59 API calls 102189->102190 102192 52f1ab 102190->102192 102191 4f917a 102191->101642 102193->102191 102195 4f9c90 59 API calls Mailbox 102193->102195 102195->102193 102196->101653 102197->101648 102200 559748 __tzset_nolock _wcscmp 102198->102200 102199 559109 GetSystemTimeAsFileTime 102199->102200 102200->102199 102201 4f4f0b 74 API calls 102200->102201 102202 5595dc 102200->102202 102203 4f4ee5 85 API calls 102200->102203 102201->102200 102202->101659 102202->101687 102203->102200 102205 558b11 102204->102205 102206 558b1f 102204->102206 102207 51525b 115 API calls 102205->102207 102208 558b64 102206->102208 102209 51525b 115 API calls 102206->102209 102219 558b28 102206->102219 102207->102206 102235 558d91 102208->102235 102211 558b49 102209->102211 102211->102208 102212 558b52 102211->102212 102216 5153a6 __fcloseall 83 API calls 102212->102216 102212->102219 102213 558ba8 102214 558bcd 102213->102214 102215 558bac 102213->102215 102239 5589a9 102214->102239 102218 558bb9 102215->102218 102221 5153a6 __fcloseall 83 API calls 102215->102221 102216->102219 102218->102219 102224 5153a6 __fcloseall 83 API calls 102218->102224 102219->101688 102221->102218 102222 558bfb 102248 558c2b 102222->102248 102223 558bdb 102227 5153a6 __fcloseall 83 API calls 102223->102227 102229 558be8 102223->102229 102224->102219 102227->102229 102229->102219 102230 5153a6 __fcloseall 83 API calls 102229->102230 102230->102219 102232 558c16 102232->102219 102234 5153a6 __fcloseall 83 API calls 102232->102234 102234->102219 102236 558db6 102235->102236 102238 558d9f __tzset_nolock _memmove 102235->102238 102237 5155e2 __fread_nolock 74 API calls 102236->102237 102237->102238 102238->102213 102240 51571c __crtLCMapStringA_stat 58 API calls 102239->102240 102241 5589b8 102240->102241 102242 51571c __crtLCMapStringA_stat 58 API calls 102241->102242 102243 5589cc 102242->102243 102244 51571c __crtLCMapStringA_stat 58 API calls 102243->102244 102245 5589e0 102244->102245 102246 558d0d 58 API calls 102245->102246 102247 5589f3 102245->102247 102246->102247 102247->102222 102247->102223 102252 558c40 102248->102252 102249 558cf8 102281 558f35 102249->102281 102250 558a05 74 API calls 102250->102252 102252->102249 102252->102250 102255 558c02 102252->102255 102277 558e12 102252->102277 102285 558aa1 74 API calls 102252->102285 102256 558d0d 102255->102256 102257 558d1a 102256->102257 102260 558d20 102256->102260 102258 512d55 _free 58 API calls 102257->102258 102258->102260 102259 558d31 102262 558c09 102259->102262 102263 512d55 _free 58 API calls 102259->102263 102260->102259 102261 512d55 _free 58 API calls 102260->102261 102261->102259 102262->102232 102264 5153a6 102262->102264 102263->102262 102265 5153b2 __ioinit 102264->102265 102266 5153c6 102265->102266 102267 5153de 102265->102267 102334 518b28 58 API calls __getptd_noexit 102266->102334 102269 516c11 __lock_file 59 API calls 102267->102269 102274 5153d6 __ioinit 102267->102274 102271 5153f0 102269->102271 102270 5153cb 102335 518db6 9 API calls __wsopen_helper 102270->102335 102318 51533a 102271->102318 102274->102232 102278 558e21 102277->102278 102279 558e61 102277->102279 102278->102252 102279->102278 102286 558ee8 102279->102286 102282 558f42 102281->102282 102284 558f53 102281->102284 102283 514863 80 API calls 102282->102283 102283->102284 102284->102255 102285->102252 102287 558f14 102286->102287 102288 558f25 102286->102288 102290 514863 102287->102290 102288->102279 102291 51486f __ioinit 102290->102291 102292 5148a5 102291->102292 102293 51488d 102291->102293 102294 51489d __ioinit 102291->102294 102295 516c11 __lock_file 59 API calls 102292->102295 102315 518b28 58 API calls __getptd_noexit 102293->102315 102294->102288 102297 5148ab 102295->102297 102303 51470a 102297->102303 102298 514892 102316 518db6 9 API calls __wsopen_helper 102298->102316 102306 514719 102303->102306 102310 514737 102303->102310 102304 514727 102305 518b28 __wsopen_helper 58 API calls 102304->102305 102307 51472c 102305->102307 102306->102304 102306->102310 102313 514751 _memmove 102306->102313 102308 518db6 __wsopen_helper 9 API calls 102307->102308 102308->102310 102309 51ae1e __flsbuf 78 API calls 102309->102313 102317 5148dd RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 102310->102317 102311 514a3d __flush 78 API calls 102311->102313 102312 5146e6 __fflush_nolock 58 API calls 102312->102313 102313->102309 102313->102310 102313->102311 102313->102312 102314 51d886 __write 78 API calls 102313->102314 102314->102313 102315->102298 102316->102294 102317->102294 102319 515349 102318->102319 102320 51535d 102318->102320 102373 518b28 58 API calls __getptd_noexit 102319->102373 102322 515359 102320->102322 102337 514a3d 102320->102337 102336 515415 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 102322->102336 102324 51534e 102374 518db6 9 API calls __wsopen_helper 102324->102374 102329 5146e6 __fflush_nolock 58 API calls 102330 515377 102329->102330 102347 520a02 102330->102347 102332 51537d 102332->102322 102333 512d55 _free 58 API calls 102332->102333 102333->102322 102334->102270 102335->102274 102336->102274 102338 514a50 102337->102338 102339 514a74 102337->102339 102338->102339 102340 5146e6 __fflush_nolock 58 API calls 102338->102340 102343 520b77 102339->102343 102341 514a6d 102340->102341 102375 51d886 102341->102375 102344 515371 102343->102344 102345 520b84 102343->102345 102344->102329 102345->102344 102346 512d55 _free 58 API calls 102345->102346 102346->102344 102348 520a0e __ioinit 102347->102348 102349 520a32 102348->102349 102350 520a1b 102348->102350 102352 520abd 102349->102352 102354 520a42 102349->102354 102500 518af4 58 API calls __getptd_noexit 102350->102500 102505 518af4 58 API calls __getptd_noexit 102352->102505 102353 520a20 102501 518b28 58 API calls __getptd_noexit 102353->102501 102358 520a60 102354->102358 102359 520a6a 102354->102359 102356 520a65 102506 518b28 58 API calls __getptd_noexit 102356->102506 102502 518af4 58 API calls __getptd_noexit 102358->102502 102361 51d206 ___lock_fhandle 59 API calls 102359->102361 102363 520a70 102361->102363 102365 520a83 102363->102365 102366 520a8e 102363->102366 102364 520ac9 102507 518db6 9 API calls __wsopen_helper 102364->102507 102485 520add 102365->102485 102503 518b28 58 API calls __getptd_noexit 102366->102503 102369 520a27 __ioinit 102369->102332 102371 520a89 102504 520ab5 RtlLeaveCriticalSection __unlock_fhandle 102371->102504 102373->102324 102374->102322 102376 51d892 __ioinit 102375->102376 102377 51d8b6 102376->102377 102378 51d89f 102376->102378 102379 51d955 102377->102379 102381 51d8ca 102377->102381 102476 518af4 58 API calls __getptd_noexit 102378->102476 102482 518af4 58 API calls __getptd_noexit 102379->102482 102385 51d8f2 102381->102385 102386 51d8e8 102381->102386 102383 51d8a4 102477 518b28 58 API calls __getptd_noexit 102383->102477 102403 51d206 102385->102403 102478 518af4 58 API calls __getptd_noexit 102386->102478 102387 51d8ed 102483 518b28 58 API calls __getptd_noexit 102387->102483 102390 51d8f8 102392 51d90b 102390->102392 102393 51d91e 102390->102393 102412 51d975 102392->102412 102479 518b28 58 API calls __getptd_noexit 102393->102479 102394 51d961 102484 518db6 9 API calls __wsopen_helper 102394->102484 102398 51d8ab __ioinit 102398->102339 102399 51d923 102480 518af4 58 API calls __getptd_noexit 102399->102480 102400 51d917 102481 51d94d RtlLeaveCriticalSection __unlock_fhandle 102400->102481 102404 51d212 __ioinit 102403->102404 102405 51d261 RtlEnterCriticalSection 102404->102405 102407 519c0b __lock 58 API calls 102404->102407 102406 51d287 __ioinit 102405->102406 102406->102390 102408 51d237 102407->102408 102409 51d24f 102408->102409 102410 519e2b __ioinit InitializeCriticalSectionAndSpinCount 102408->102410 102411 51d28b ___lock_fhandle RtlLeaveCriticalSection 102409->102411 102410->102409 102411->102405 102413 51d982 __write_nolock 102412->102413 102414 51d9c1 102413->102414 102415 51d9e0 102413->102415 102446 51d9b6 102413->102446 102417 518af4 __read_nolock 58 API calls 102414->102417 102420 51da38 102415->102420 102421 51da1c 102415->102421 102416 51c5f6 __crtLCMapStringA_stat 6 API calls 102418 51e1d6 102416->102418 102419 51d9c6 102417->102419 102418->102400 102423 518b28 __wsopen_helper 58 API calls 102419->102423 102424 51da51 102420->102424 102427 5218c1 __lseeki64_nolock 60 API calls 102420->102427 102422 518af4 __read_nolock 58 API calls 102421->102422 102425 51da21 102422->102425 102426 51d9cd 102423->102426 102428 525c6b __read_nolock 58 API calls 102424->102428 102429 518b28 __wsopen_helper 58 API calls 102425->102429 102430 518db6 __wsopen_helper 9 API calls 102426->102430 102427->102424 102431 51da5f 102428->102431 102432 51da28 102429->102432 102430->102446 102433 51ddb8 102431->102433 102437 5199ac ____lc_codepage_func 58 API calls 102431->102437 102436 518db6 __wsopen_helper 9 API calls 102432->102436 102434 51ddd6 102433->102434 102435 51e14b WriteFile 102433->102435 102438 51defa 102434->102438 102444 51ddec 102434->102444 102439 51ddab GetLastError 102435->102439 102448 51dd78 102435->102448 102436->102446 102440 51da8b GetConsoleMode 102437->102440 102449 51dfef 102438->102449 102451 51df05 102438->102451 102439->102448 102440->102433 102442 51daca 102440->102442 102441 51e184 102441->102446 102447 518b28 __wsopen_helper 58 API calls 102441->102447 102442->102433 102443 51dada GetConsoleCP 102442->102443 102443->102441 102470 51db09 102443->102470 102444->102441 102445 51de5b WriteFile 102444->102445 102445->102439 102450 51de98 102445->102450 102446->102416 102452 51e1b2 102447->102452 102448->102441 102448->102446 102453 51ded8 102448->102453 102449->102441 102456 51e064 WideCharToMultiByte 102449->102456 102450->102444 102457 51debc 102450->102457 102451->102441 102458 51df6a WriteFile 102451->102458 102459 518af4 __read_nolock 58 API calls 102452->102459 102454 51dee3 102453->102454 102455 51e17b 102453->102455 102460 518b28 __wsopen_helper 58 API calls 102454->102460 102461 518b07 __dosmaperr 58 API calls 102455->102461 102456->102439 102469 51e0ab 102456->102469 102457->102448 102458->102439 102462 51dfb9 102458->102462 102459->102446 102463 51dee8 102460->102463 102461->102446 102462->102448 102462->102451 102462->102457 102465 518af4 __read_nolock 58 API calls 102463->102465 102464 51e0b3 WriteFile 102467 51e106 GetLastError 102464->102467 102464->102469 102465->102446 102466 5135f5 __write_nolock 58 API calls 102466->102470 102467->102469 102468 5262ba 60 API calls __write_nolock 102468->102470 102469->102448 102469->102449 102469->102457 102469->102464 102470->102448 102470->102466 102470->102468 102471 51dbf2 WideCharToMultiByte 102470->102471 102474 51dc5f 102470->102474 102471->102448 102472 51dc2d WriteFile 102471->102472 102472->102439 102472->102474 102473 527a5e WriteConsoleW CreateFileW __putwch_nolock 102473->102474 102474->102439 102474->102448 102474->102470 102474->102473 102475 51dc87 WriteFile 102474->102475 102475->102439 102475->102474 102476->102383 102477->102398 102478->102387 102479->102399 102480->102400 102481->102398 102482->102387 102483->102394 102484->102398 102508 51d4c3 102485->102508 102487 520b41 102521 51d43d 59 API calls 2 library calls 102487->102521 102488 520aeb 102488->102487 102490 51d4c3 __close_nolock 58 API calls 102488->102490 102499 520b1f 102488->102499 102494 520b16 102490->102494 102491 51d4c3 __close_nolock 58 API calls 102495 520b2b CloseHandle 102491->102495 102492 520b49 102493 520b6b 102492->102493 102522 518b07 58 API calls 3 library calls 102492->102522 102493->102371 102497 51d4c3 __close_nolock 58 API calls 102494->102497 102495->102487 102498 520b37 GetLastError 102495->102498 102497->102499 102498->102487 102499->102487 102499->102491 102500->102353 102501->102369 102502->102356 102503->102371 102504->102369 102505->102356 102506->102364 102507->102369 102509 51d4e3 102508->102509 102510 51d4ce 102508->102510 102512 518af4 __read_nolock 58 API calls 102509->102512 102514 51d508 102509->102514 102511 518af4 __read_nolock 58 API calls 102510->102511 102513 51d4d3 102511->102513 102515 51d512 102512->102515 102516 518b28 __wsopen_helper 58 API calls 102513->102516 102514->102488 102517 518b28 __wsopen_helper 58 API calls 102515->102517 102518 51d4db 102516->102518 102519 51d51a 102517->102519 102518->102488 102520 518db6 __wsopen_helper 9 API calls 102519->102520 102520->102518 102521->102492 102522->102493 102585 521940 102523->102585 102526 4f477c 102528 4f7bcc 59 API calls 102526->102528 102527 4f4799 102591 4f7d8c 102527->102591 102530 4f4788 102528->102530 102587 4f7726 102530->102587 102533 510791 102534 521940 __write_nolock 102533->102534 102535 51079e GetLongPathNameW 102534->102535 102536 4f7bcc 59 API calls 102535->102536 102537 4f72bd 102536->102537 102538 4f700b 102537->102538 102539 4f7667 59 API calls 102538->102539 102540 4f701d 102539->102540 102541 4f4750 60 API calls 102540->102541 102542 4f7028 102541->102542 102543 52e885 102542->102543 102544 4f7033 102542->102544 102548 52e89f 102543->102548 102605 4f7908 61 API calls 102543->102605 102546 4f3f74 59 API calls 102544->102546 102547 4f703f 102546->102547 102599 4f34c2 102547->102599 102550 4f7052 Mailbox 102550->101377 102552 4f4ddd 136 API calls 102551->102552 102553 4f688f 102552->102553 102554 52e031 102553->102554 102556 4f4ddd 136 API calls 102553->102556 102555 55955b 122 API calls 102554->102555 102557 52e046 102555->102557 102558 4f68a3 102556->102558 102559 52e067 102557->102559 102560 52e04a 102557->102560 102558->102554 102561 4f68ab 102558->102561 102563 510db6 Mailbox 59 API calls 102559->102563 102562 4f4e4a 84 API calls 102560->102562 102564 52e052 102561->102564 102565 4f68b7 102561->102565 102562->102564 102584 52e0ac Mailbox 102563->102584 102699 5542f8 90 API calls _wprintf 102564->102699 102606 4f6a8c 102565->102606 102568 52e060 102568->102559 102570 52e260 102571 512d55 _free 58 API calls 102570->102571 102572 52e268 102571->102572 102573 4f4e4a 84 API calls 102572->102573 102578 52e271 102573->102578 102577 512d55 _free 58 API calls 102577->102578 102578->102577 102580 4f4e4a 84 API calls 102578->102580 102705 54f7a1 89 API calls 4 library calls 102578->102705 102580->102578 102581 4f7de1 59 API calls 102581->102584 102584->102570 102584->102578 102584->102581 102700 54f73d 59 API calls 2 library calls 102584->102700 102701 54f65e 61 API calls 2 library calls 102584->102701 102702 55737f 59 API calls Mailbox 102584->102702 102703 4f750f 59 API calls 2 library calls 102584->102703 102704 4f735d 59 API calls Mailbox 102584->102704 102586 4f475d GetFullPathNameW 102585->102586 102586->102526 102586->102527 102588 4f7734 102587->102588 102595 4f7d2c 102588->102595 102590 4f4794 102590->102533 102592 4f7da6 102591->102592 102594 4f7d99 102591->102594 102593 510db6 Mailbox 59 API calls 102592->102593 102593->102594 102594->102530 102596 4f7d3a 102595->102596 102598 4f7d43 _memmove 102595->102598 102597 4f7e4f 59 API calls 102596->102597 102596->102598 102597->102598 102598->102590 102600 4f34d4 102599->102600 102604 4f34f3 _memmove 102599->102604 102602 510db6 Mailbox 59 API calls 102600->102602 102601 510db6 Mailbox 59 API calls 102603 4f350a 102601->102603 102602->102604 102603->102550 102604->102601 102605->102543 102607 4f6ab5 102606->102607 102608 52e41e 102606->102608 102711 4f57a6 60 API calls Mailbox 102607->102711 102778 54f7a1 89 API calls 4 library calls 102608->102778 102611 4f6ad7 102712 4f57f6 67 API calls 102611->102712 102612 52e431 102779 54f7a1 89 API calls 4 library calls 102612->102779 102614 4f6aec 102614->102612 102615 4f6af4 102614->102615 102617 4f7667 59 API calls 102615->102617 102619 4f6b00 102617->102619 102618 52e44d 102621 4f6b61 102618->102621 102713 510957 60 API calls __write_nolock 102619->102713 102622 4f6b6f 102621->102622 102623 52e460 102621->102623 102626 4f7667 59 API calls 102622->102626 102625 4f5c6f CloseHandle 102623->102625 102624 4f6b0c 102627 4f7667 59 API calls 102624->102627 102628 52e46c 102625->102628 102629 4f6b78 102626->102629 102630 4f6b18 102627->102630 102631 4f4ddd 136 API calls 102628->102631 102632 4f7667 59 API calls 102629->102632 102633 4f4750 60 API calls 102630->102633 102634 52e488 102631->102634 102635 4f6b81 102632->102635 102636 4f6b26 102633->102636 102637 52e4b1 102634->102637 102641 55955b 122 API calls 102634->102641 102716 4f459b 102635->102716 102714 4f5850 ReadFile SetFilePointerEx 102636->102714 102780 54f7a1 89 API calls 4 library calls 102637->102780 102640 4f6b52 102715 4f5aee SetFilePointerEx SetFilePointerEx 102640->102715 102645 52e4a4 102641->102645 102642 4f6b98 102646 4f7b2e 59 API calls 102642->102646 102648 52e4ac 102645->102648 102649 52e4cd 102645->102649 102650 4f6ba9 SetCurrentDirectoryW 102646->102650 102647 52e4c8 102676 4f6d0c Mailbox 102647->102676 102651 4f4e4a 84 API calls 102648->102651 102652 4f4e4a 84 API calls 102649->102652 102655 4f6bbc Mailbox 102650->102655 102651->102637 102653 52e4d2 102652->102653 102654 510db6 Mailbox 59 API calls 102653->102654 102661 52e506 102654->102661 102656 510db6 Mailbox 59 API calls 102655->102656 102659 4f6bcf 102656->102659 102658 4f3bbb 102658->101231 102658->101240 102660 4f522e 59 API calls 102659->102660 102688 4f6bda Mailbox __NMSG_WRITE 102660->102688 102781 4f750f 59 API calls 2 library calls 102661->102781 102663 4f6ce7 102774 4f5c6f 102663->102774 102666 52e740 102787 5572df 59 API calls Mailbox 102666->102787 102667 4f6cf3 SetCurrentDirectoryW 102667->102676 102670 52e762 102788 56fbce 59 API calls 2 library calls 102670->102788 102673 52e76f 102675 512d55 _free 58 API calls 102673->102675 102674 52e7d9 102791 54f7a1 89 API calls 4 library calls 102674->102791 102675->102676 102706 4f57d4 102676->102706 102679 52e7f2 102679->102663 102682 52e7d1 102790 54f5f7 59 API calls 4 library calls 102682->102790 102684 4f7de1 59 API calls 102684->102688 102688->102663 102688->102674 102688->102682 102688->102684 102767 4f586d 67 API calls _wcscpy 102688->102767 102768 4f6f5d GetStringTypeW 102688->102768 102769 4f6ecc 60 API calls __wcsnicmp 102688->102769 102770 4f6faa GetStringTypeW __NMSG_WRITE 102688->102770 102771 51363d GetStringTypeW _iswctype 102688->102771 102772 4f68dc 165 API calls 3 library calls 102688->102772 102773 4f7213 59 API calls Mailbox 102688->102773 102689 4f7de1 59 API calls 102694 52e54f Mailbox 102689->102694 102693 52e792 102789 54f7a1 89 API calls 4 library calls 102693->102789 102694->102666 102694->102689 102694->102693 102782 54f73d 59 API calls 2 library calls 102694->102782 102783 54f65e 61 API calls 2 library calls 102694->102783 102784 55737f 59 API calls Mailbox 102694->102784 102785 4f750f 59 API calls 2 library calls 102694->102785 102786 4f7213 59 API calls Mailbox 102694->102786 102696 52e7ab 102697 512d55 _free 58 API calls 102696->102697 102698 52e7be 102697->102698 102698->102676 102699->102568 102700->102584 102701->102584 102702->102584 102703->102584 102704->102584 102705->102578 102707 4f5c6f CloseHandle 102706->102707 102708 4f57dc Mailbox 102707->102708 102709 4f5c6f CloseHandle 102708->102709 102710 4f57eb 102709->102710 102710->102658 102711->102611 102712->102614 102713->102624 102714->102640 102715->102621 102717 4f7667 59 API calls 102716->102717 102718 4f45b1 102717->102718 102719 4f7667 59 API calls 102718->102719 102720 4f45b9 102719->102720 102721 4f7667 59 API calls 102720->102721 102722 4f45c1 102721->102722 102723 4f7667 59 API calls 102722->102723 102724 4f45c9 102723->102724 102725 52d4d2 102724->102725 102726 4f45fd 102724->102726 102727 4f8047 59 API calls 102725->102727 102728 4f784b 59 API calls 102726->102728 102729 52d4db 102727->102729 102730 4f460b 102728->102730 102731 4f7d8c 59 API calls 102729->102731 102732 4f7d2c 59 API calls 102730->102732 102734 4f4640 102731->102734 102733 4f4615 102732->102733 102733->102734 102735 4f784b 59 API calls 102733->102735 102736 4f4680 102734->102736 102738 4f465f 102734->102738 102749 52d4fb 102734->102749 102739 4f4636 102735->102739 102792 4f784b 102736->102792 102740 4f79f2 59 API calls 102738->102740 102743 4f7d2c 59 API calls 102739->102743 102744 4f4669 102740->102744 102741 4f4691 102745 4f46a3 102741->102745 102747 4f8047 59 API calls 102741->102747 102742 52d5cb 102746 4f7bcc 59 API calls 102742->102746 102743->102734 102744->102736 102750 4f784b 59 API calls 102744->102750 102748 4f46b3 102745->102748 102751 4f8047 59 API calls 102745->102751 102762 52d588 102746->102762 102747->102745 102753 4f46ba 102748->102753 102754 4f8047 59 API calls 102748->102754 102749->102742 102752 52d5b4 102749->102752 102761 52d532 102749->102761 102750->102736 102751->102748 102752->102742 102758 52d59f 102752->102758 102755 4f8047 59 API calls 102753->102755 102764 4f46c1 Mailbox 102753->102764 102754->102753 102755->102764 102756 4f79f2 59 API calls 102756->102762 102757 52d590 102759 4f7bcc 59 API calls 102757->102759 102760 4f7bcc 59 API calls 102758->102760 102759->102762 102760->102762 102761->102757 102765 52d57b 102761->102765 102762->102736 102762->102756 102805 4f7924 59 API calls 2 library calls 102762->102805 102764->102642 102766 4f7bcc 59 API calls 102765->102766 102766->102762 102767->102688 102768->102688 102769->102688 102770->102688 102771->102688 102772->102688 102773->102688 102775 4f5c79 102774->102775 102776 4f5c88 102774->102776 102775->102667 102776->102775 102777 4f5c8d CloseHandle 102776->102777 102777->102775 102778->102612 102779->102618 102780->102647 102781->102694 102782->102694 102783->102694 102784->102694 102785->102694 102786->102694 102787->102670 102788->102673 102789->102696 102790->102674 102791->102679 102793 4f785a 102792->102793 102794 4f78b7 102792->102794 102793->102794 102795 4f7865 102793->102795 102796 4f7d2c 59 API calls 102794->102796 102797 52eb09 102795->102797 102798 4f7880 102795->102798 102802 4f7888 _memmove 102796->102802 102810 4f8029 102797->102810 102806 4f7f27 102798->102806 102801 52eb13 102803 510db6 Mailbox 59 API calls 102801->102803 102802->102741 102804 52eb33 102803->102804 102805->102762 102807 4f7f3f 102806->102807 102809 4f7f39 102806->102809 102808 510db6 Mailbox 59 API calls 102807->102808 102808->102809 102809->102802 102811 510db6 Mailbox 59 API calls 102810->102811 102812 4f8033 102811->102812 102812->102801 102814 4f6d95 102813->102814 102818 4f6ea9 102813->102818 102815 510db6 Mailbox 59 API calls 102814->102815 102814->102818 102817 4f6dbc 102815->102817 102816 510db6 Mailbox 59 API calls 102823 4f6e31 102816->102823 102817->102816 102818->101392 102823->102818 102826 4f6240 102823->102826 102851 4f735d 59 API calls Mailbox 102823->102851 102852 546553 59 API calls Mailbox 102823->102852 102853 4f750f 59 API calls 2 library calls 102823->102853 102824->101395 102825->101397 102854 4f7a16 102826->102854 102828 4f646a 102861 4f750f 59 API calls 2 library calls 102828->102861 102830 4f6484 Mailbox 102830->102823 102833 4f750f 59 API calls 102845 4f6265 102833->102845 102834 52dff6 102864 54f8aa 91 API calls 4 library calls 102834->102864 102836 4f6799 _memmove 102866 54f8aa 91 API calls 4 library calls 102836->102866 102839 4f7d8c 59 API calls 102839->102845 102840 52e004 102865 4f750f 59 API calls 2 library calls 102840->102865 102842 52e01a 102842->102830 102843 52df92 102844 4f8029 59 API calls 102843->102844 102848 52df9d 102844->102848 102845->102828 102845->102833 102845->102834 102845->102836 102845->102839 102845->102843 102847 4f7e4f 59 API calls 102845->102847 102859 4f5f6c 60 API calls 102845->102859 102860 4f5d41 59 API calls Mailbox 102845->102860 102862 4f5e72 60 API calls 102845->102862 102863 4f7924 59 API calls 2 library calls 102845->102863 102849 4f643b CharUpperBuffW 102847->102849 102850 510db6 Mailbox 59 API calls 102848->102850 102849->102845 102850->102836 102851->102823 102852->102823 102853->102823 102855 510db6 Mailbox 59 API calls 102854->102855 102856 4f7a3b 102855->102856 102857 4f8029 59 API calls 102856->102857 102858 4f7a4a 102857->102858 102858->102845 102859->102845 102860->102845 102861->102830 102862->102845 102863->102845 102864->102840 102865->102842 102866->102830 102868 4f30d2 LoadIconW 102867->102868 102870 4f3107 102868->102870 102870->101412 102871->101411 102873 52d423 102872->102873 102874 4f4196 102872->102874 102873->102874 102875 52d42c DestroyCursor 102873->102875 102874->101417 102898 552f94 62 API calls _W_store_winword 102874->102898 102875->102874 102877 4f4098 102876->102877 102897 4f416f Mailbox 102876->102897 102878 4f7a16 59 API calls 102877->102878 102879 4f40a6 102878->102879 102897->101423 102898->101417 102900 4fe6d5 102899->102900 102901 533aa9 102900->102901 102905 4fe73f 102900->102905 102906 4fe799 102900->102906 103069 4f9ea0 102901->103069 102904 4f7667 59 API calls 102904->102906 102905->102906 102908 4f7667 59 API calls 102905->102908 102906->102904 102909 512d40 __cinit 67 API calls 102906->102909 102911 533b26 102906->102911 102914 4fe95a 102906->102914 102929 4fe970 Mailbox 102906->102929 102910 533b04 102908->102910 102909->102906 102912 512d40 __cinit 67 API calls 102910->102912 102911->101500 102912->102906 102913 4f84c0 69 API calls 102913->102929 102914->102929 103094 559e4a 89 API calls 4 library calls 102914->103094 102916 4f9ea0 331 API calls 102916->102929 102920 4f8d40 59 API calls 102920->102929 102922 559e4a 89 API calls 102922->102929 102925 4ff195 103098 559e4a 89 API calls 4 library calls 102925->103098 102928 4fea78 102928->101500 102929->102913 102929->102916 102929->102920 102929->102922 102929->102925 102929->102928 103068 4f7f77 59 API calls 2 library calls 102929->103068 103095 546e8f 59 API calls 102929->103095 103096 56c5c3 331 API calls 102929->103096 103097 56b53c 331 API calls Mailbox 102929->103097 103099 4f9c90 59 API calls Mailbox 102929->103099 103100 5693c6 331 API calls Mailbox 102929->103100 102931 4ff4ba 102930->102931 102932 4ff650 102930->102932 102933 4ff4c6 102931->102933 102934 53441e 102931->102934 102935 4f7de1 59 API calls 102932->102935 103199 4ff290 331 API calls 2 library calls 102933->103199 103201 56bc6b 331 API calls Mailbox 102934->103201 102941 4ff58c Mailbox 102935->102941 102938 53442c 102942 4ff630 102938->102942 103202 559e4a 89 API calls 4 library calls 102938->103202 102940 4ff4fd 102940->102938 102940->102941 102940->102942 102946 4f4e4a 84 API calls 102941->102946 103107 553c37 102941->103107 103110 56445a 102941->103110 103119 55cb7a 102941->103119 102942->101500 102944 4ff5e3 102944->102942 103200 4f9c90 59 API calls Mailbox 102944->103200 102946->102944 103328 4f8180 102949->103328 102951 4ffd3d 102953 53472d 102951->102953 103014 5006f6 102951->103014 103333 4ff234 102951->103333 103350 559e4a 89 API calls 4 library calls 102953->103350 103349 559e4a 89 API calls 4 library calls 103014->103349 103029->101500 103030->101500 103031->101429 103032->101434 103033->101500 103034->101439 103035->101439 103036->101439 103037->101500 103038->101500 103039->101500 103041 4f9851 103040->103041 103050 4f984b 103040->103050 103042 4f9899 103041->103042 103043 52f4da 103041->103043 103044 4f9857 __itow 103041->103044 103045 52f5d3 __i64tow 103041->103045 103370 513698 83 API calls 3 library calls 103042->103370 103051 510db6 Mailbox 59 API calls 103043->103051 103056 52f552 Mailbox _wcscpy 103043->103056 103047 510db6 Mailbox 59 API calls 103044->103047 103045->103045 103049 4f9871 103047->103049 103049->103050 103052 4f7de1 59 API calls 103049->103052 103050->101500 103053 52f51f 103051->103053 103052->103050 103054 510db6 Mailbox 59 API calls 103053->103054 103055 52f545 103054->103055 103055->103056 103371 513698 83 API calls 3 library calls 103056->103371 103058->101500 103059->101500 103060->101500 103061->101486 103062->101486 103063->101486 103064->101486 103065->101486 103066->101486 103067->101486 103068->102929 103070 4f9ebf 103069->103070 103091 4f9eed Mailbox 103069->103091 103071 510db6 Mailbox 59 API calls 103070->103071 103071->103091 103072 4fb47a 103077 5309e5 103072->103077 103078 530055 103072->103078 103073 4fb475 103074 4f8047 59 API calls 103073->103074 103075 4fa057 103074->103075 103076 510db6 59 API calls Mailbox 103076->103091 103082 512d40 67 API calls __cinit 103082->103091 103086 4f7667 59 API calls 103086->103091 103087 4f8047 59 API calls 103087->103091 103088 546e8f 59 API calls 103088->103091 103089 5309d6 103091->103072 103091->103073 103091->103075 103091->103076 103091->103078 103091->103082 103091->103086 103091->103087 103091->103088 103091->103089 103092 4fa55a 103091->103092 103101 4fc8c0 331 API calls 2 library calls 103091->103101 103102 4fb900 60 API calls Mailbox 103091->103102 103094->102929 103095->102929 103096->102929 103097->102929 103099->102929 103100->102929 103101->103091 103102->103091 103203 55445a GetFileAttributesW 103107->103203 103111 4f9837 84 API calls 103110->103111 103112 564494 103111->103112 103120 4f7667 59 API calls 103119->103120 103121 55cbaf 103120->103121 103199->102940 103200->102944 103201->102938 103202->102942 103205 554475 FindFirstFileW 103203->103205 103329 4f818f 103328->103329 103332 4f81aa 103328->103332 103330 4f7e4f 59 API calls 103329->103330 103331 4f8197 CharUpperBuffW 103330->103331 103331->103332 103332->102951 103334 4ff251 103333->103334 103349->102953 103370->103044 103371->103045 103384 4f1078 103389 4f708b 103384->103389 103386 4f108c 103387 512d40 __cinit 67 API calls 103386->103387 103388 4f1096 103387->103388 103390 4f709b __write_nolock 103389->103390 103391 4f7667 59 API calls 103390->103391 103392 4f7151 103391->103392 103393 4f4706 61 API calls 103392->103393 103394 4f715a 103393->103394 103420 51050b 103394->103420 103397 4f7cab 59 API calls 103398 4f7173 103397->103398 103399 4f3f74 59 API calls 103398->103399 103400 4f7182 103399->103400 103401 4f7667 59 API calls 103400->103401 103402 4f718b 103401->103402 103403 4f7d8c 59 API calls 103402->103403 103404 4f7194 RegOpenKeyExW 103403->103404 103405 52e8b1 RegQueryValueExW 103404->103405 103409 4f71b6 Mailbox 103404->103409 103406 52e943 RegCloseKey 103405->103406 103407 52e8ce 103405->103407 103406->103409 103412 52e955 _wcscat Mailbox __NMSG_WRITE 103406->103412 103408 510db6 Mailbox 59 API calls 103407->103408 103410 52e8e7 103408->103410 103409->103386 103411 4f522e 59 API calls 103410->103411 103413 52e8f2 RegQueryValueExW 103411->103413 103412->103409 103417 4f79f2 59 API calls 103412->103417 103418 4f7de1 59 API calls 103412->103418 103419 4f3f74 59 API calls 103412->103419 103414 52e929 103413->103414 103415 52e90f 103413->103415 103414->103406 103416 4f7bcc 59 API calls 103415->103416 103416->103414 103417->103412 103418->103412 103419->103412 103421 521940 __write_nolock 103420->103421 103422 510518 GetFullPathNameW 103421->103422 103423 51053a 103422->103423 103424 4f7bcc 59 API calls 103423->103424 103425 4f7165 103424->103425 103425->103397 103426 4f1066 103431 4ff76f 103426->103431 103428 4f106c 103429 512d40 __cinit 67 API calls 103428->103429 103430 4f1076 103429->103430 103432 4ff790 103431->103432 103464 50ff03 103432->103464 103436 4ff7d7 103437 4f7667 59 API calls 103436->103437 103438 4ff7e1 103437->103438 103439 4f7667 59 API calls 103438->103439 103440 4ff7eb 103439->103440 103441 4f7667 59 API calls 103440->103441 103442 4ff7f5 103441->103442 103443 4f7667 59 API calls 103442->103443 103444 4ff833 103443->103444 103445 4f7667 59 API calls 103444->103445 103446 4ff8fe 103445->103446 103474 505f87 103446->103474 103450 4ff930 103451 4f7667 59 API calls 103450->103451 103452 4ff93a 103451->103452 103502 50fd9e 103452->103502 103454 4ff981 103455 4ff991 GetStdHandle 103454->103455 103456 4ff9dd 103455->103456 103457 5345ab 103455->103457 103458 4ff9e5 OleInitialize 103456->103458 103457->103456 103459 5345b4 103457->103459 103458->103428 103509 556b38 64 API calls Mailbox 103459->103509 103461 5345bb 103510 557207 CreateThread 103461->103510 103463 5345c7 CloseHandle 103463->103458 103511 50ffdc 103464->103511 103467 50ffdc 59 API calls 103468 50ff45 103467->103468 103469 4f7667 59 API calls 103468->103469 103470 50ff51 103469->103470 103471 4f7bcc 59 API calls 103470->103471 103472 4ff796 103471->103472 103473 510162 6 API calls 103472->103473 103473->103436 103475 4f7667 59 API calls 103474->103475 103476 505f97 103475->103476 103477 4f7667 59 API calls 103476->103477 103478 505f9f 103477->103478 103518 505a9d 103478->103518 103481 505a9d 59 API calls 103482 505faf 103481->103482 103483 4f7667 59 API calls 103482->103483 103484 505fba 103483->103484 103485 510db6 Mailbox 59 API calls 103484->103485 103486 4ff908 103485->103486 103487 5060f9 103486->103487 103488 506107 103487->103488 103489 4f7667 59 API calls 103488->103489 103490 506112 103489->103490 103491 4f7667 59 API calls 103490->103491 103492 50611d 103491->103492 103493 4f7667 59 API calls 103492->103493 103494 506128 103493->103494 103495 4f7667 59 API calls 103494->103495 103496 506133 103495->103496 103497 505a9d 59 API calls 103496->103497 103498 50613e 103497->103498 103499 510db6 Mailbox 59 API calls 103498->103499 103500 506145 RegisterClipboardFormatW 103499->103500 103500->103450 103503 54576f 103502->103503 103504 50fdae 103502->103504 103521 559ae7 60 API calls 103503->103521 103505 510db6 Mailbox 59 API calls 103504->103505 103507 50fdb6 103505->103507 103507->103454 103508 54577a 103509->103461 103510->103463 103522 5571ed 65 API calls 103510->103522 103512 4f7667 59 API calls 103511->103512 103513 50ffe7 103512->103513 103514 4f7667 59 API calls 103513->103514 103515 50ffef 103514->103515 103516 4f7667 59 API calls 103515->103516 103517 50ff3b 103516->103517 103517->103467 103519 4f7667 59 API calls 103518->103519 103520 505aa5 103519->103520 103520->103481 103521->103508 103523 4f1016 103528 4f4974 103523->103528 103526 512d40 __cinit 67 API calls 103527 4f1025 103526->103527 103529 510db6 Mailbox 59 API calls 103528->103529 103531 4f497c 103529->103531 103530 4f101b 103530->103526 103531->103530 103535 4f4936 103531->103535 103536 4f493f 103535->103536 103537 4f4951 103535->103537 103538 512d40 __cinit 67 API calls 103536->103538 103539 4f49a0 103537->103539 103538->103537 103540 4f7667 59 API calls 103539->103540 103541 4f49b8 GetVersionExW 103540->103541 103542 4f7bcc 59 API calls 103541->103542 103543 4f49fb 103542->103543 103544 4f7d2c 59 API calls 103543->103544 103547 4f4a28 103543->103547 103545 4f4a1c 103544->103545 103546 4f7726 59 API calls 103545->103546 103546->103547 103548 4f4a93 GetCurrentProcess IsWow64Process 103547->103548 103550 52d864 103547->103550 103549 4f4aac 103548->103549 103551 4f4b2b GetSystemInfo 103549->103551 103552 4f4ac2 103549->103552 103553 4f4af8 103551->103553 103563 4f4b37 103552->103563 103553->103530 103556 4f4b1f GetSystemInfo 103558 4f4ae9 103556->103558 103557 4f4ad4 103559 4f4b37 2 API calls 103557->103559 103558->103553 103561 4f4aef FreeLibrary 103558->103561 103560 4f4adc GetNativeSystemInfo 103559->103560 103560->103558 103561->103553 103564 4f4ad0 103563->103564 103565 4f4b40 LoadLibraryA 103563->103565 103564->103556 103564->103557 103565->103564 103566 4f4b51 GetProcAddress 103565->103566 103566->103564 103567 4f1055 103572 4f2649 103567->103572 103570 512d40 __cinit 67 API calls 103571 4f1064 103570->103571 103573 4f7667 59 API calls 103572->103573 103574 4f26b7 103573->103574 103579 4f3582 103574->103579 103576 4f2754 103577 4f105a 103576->103577 103582 4f3416 59 API calls 2 library calls 103576->103582 103577->103570 103583 4f35b0 103579->103583 103582->103576 103584 4f35bd 103583->103584 103585 4f35a1 103583->103585 103584->103585 103586 4f35c4 RegOpenKeyExW 103584->103586 103585->103576 103586->103585 103587 4f35de RegQueryValueExW 103586->103587 103588 4f35ff 103587->103588 103589 4f3614 RegCloseKey 103587->103589 103588->103589 103589->103585 103590 4f3633 103591 4f366a 103590->103591 103592 4f3688 103591->103592 103593 4f36e7 103591->103593 103631 4f36e5 103591->103631 103597 4f374b PostQuitMessage 103592->103597 103598 4f3695 103592->103598 103595 4f36ed 103593->103595 103596 52d0cc 103593->103596 103594 4f36ca NtdllDefWindowProc_W 103599 4f36d8 103594->103599 103600 4f3715 SetTimer RegisterClipboardFormatW 103595->103600 103601 4f36f2 103595->103601 103639 501070 10 API calls Mailbox 103596->103639 103597->103599 103603 52d154 103598->103603 103604 4f36a0 103598->103604 103600->103599 103608 4f373e CreatePopupMenu 103600->103608 103605 4f36f9 KillTimer 103601->103605 103606 52d06f 103601->103606 103644 552527 71 API calls _memset 103603->103644 103609 4f36a8 103604->103609 103610 4f3755 103604->103610 103635 4f443a Shell_NotifyIconW _memset 103605->103635 103612 52d074 103606->103612 103613 52d0a8 MoveWindow 103606->103613 103607 52d0f3 103640 501093 331 API calls Mailbox 103607->103640 103608->103599 103616 52d139 103609->103616 103617 4f36b3 103609->103617 103637 4f44a0 64 API calls _memset 103610->103637 103621 52d097 SetFocus 103612->103621 103622 52d078 103612->103622 103613->103599 103616->103594 103643 547c36 59 API calls Mailbox 103616->103643 103624 4f36be 103617->103624 103625 52d124 103617->103625 103618 52d166 103618->103594 103618->103599 103620 4f3764 103620->103599 103621->103599 103622->103624 103626 52d081 103622->103626 103623 4f370c 103636 4f3114 DeleteObject DestroyWindow Mailbox 103623->103636 103624->103594 103641 4f443a Shell_NotifyIconW _memset 103624->103641 103642 552d36 81 API calls _memset 103625->103642 103638 501070 10 API calls Mailbox 103626->103638 103631->103594 103633 52d118 103634 4f434a 68 API calls 103633->103634 103634->103631 103635->103623 103636->103599 103637->103620 103638->103599 103639->103607 103640->103624 103641->103633 103642->103620 103643->103631 103644->103618 103645 53416f 103649 545fe6 103645->103649 103647 53417a 103648 545fe6 85 API calls 103647->103648 103648->103647 103653 545ff3 103649->103653 103659 546020 103649->103659 103650 546022 103661 4f9328 84 API calls Mailbox 103650->103661 103651 546027 103654 4f9837 84 API calls 103651->103654 103653->103650 103653->103651 103657 54601a 103653->103657 103653->103659 103655 54602e 103654->103655 103656 4f7b2e 59 API calls 103655->103656 103656->103659 103660 4f95a0 59 API calls _wcsstr 103657->103660 103659->103647 103660->103659 103661->103651 103662 52fdfc 103703 4fab30 Mailbox _memmove 103662->103703 103666 510db6 59 API calls Mailbox 103666->103703 103669 530055 103728 559e4a 89 API calls 4 library calls 103669->103728 103673 4fb475 103677 4f8047 59 API calls 103673->103677 103674 530064 103675 510db6 59 API calls Mailbox 103690 4f9f37 Mailbox 103675->103690 103676 4f8047 59 API calls 103676->103690 103688 4fa057 103677->103688 103679 4fb47a 103679->103669 103689 5309e5 103679->103689 103682 4f7667 59 API calls 103682->103690 103683 512d40 67 API calls __cinit 103683->103690 103684 546e8f 59 API calls 103684->103690 103685 4f7de1 59 API calls 103685->103703 103686 5309d6 103734 559e4a 89 API calls 4 library calls 103686->103734 103735 559e4a 89 API calls 4 library calls 103689->103735 103690->103669 103690->103673 103690->103675 103690->103676 103690->103679 103690->103682 103690->103683 103690->103684 103690->103686 103690->103688 103691 4fa55a 103690->103691 103717 4fc8c0 331 API calls 2 library calls 103690->103717 103718 4fb900 60 API calls Mailbox 103690->103718 103733 559e4a 89 API calls 4 library calls 103691->103733 103694 4fb2b6 103722 4ff6a3 331 API calls 103694->103722 103696 4f9ea0 331 API calls 103696->103703 103697 53086a 103731 4f9c90 59 API calls Mailbox 103697->103731 103699 530878 103732 559e4a 89 API calls 4 library calls 103699->103732 103701 53085c 103701->103688 103730 54617e 59 API calls Mailbox 103701->103730 103702 4fb21c 103720 4f9d3c 60 API calls Mailbox 103702->103720 103703->103666 103703->103685 103703->103688 103703->103690 103703->103694 103703->103696 103703->103697 103703->103699 103703->103701 103703->103702 103706 546e8f 59 API calls 103703->103706 103708 4fb525 103703->103708 103711 56df37 103703->103711 103714 56df23 103703->103714 103719 4f9c90 59 API calls Mailbox 103703->103719 103723 56c193 85 API calls 2 library calls 103703->103723 103724 56c2e0 96 API calls Mailbox 103703->103724 103725 557956 59 API calls Mailbox 103703->103725 103726 56bc6b 331 API calls Mailbox 103703->103726 103727 54617e 59 API calls Mailbox 103703->103727 103705 4fb22d 103721 4f9d3c 60 API calls Mailbox 103705->103721 103706->103703 103729 559e4a 89 API calls 4 library calls 103708->103729 103736 56cadd 103711->103736 103713 56df47 103713->103703 103715 56cadd 130 API calls 103714->103715 103716 56df33 103715->103716 103716->103703 103717->103690 103718->103690 103719->103703 103720->103705 103721->103694 103722->103708 103723->103703 103724->103703 103725->103703 103726->103703 103727->103703 103728->103674 103729->103701 103730->103688 103731->103701 103732->103701 103733->103688 103734->103689 103735->103688 103737 4f9837 84 API calls 103736->103737 103738 56cb1a 103737->103738 103742 56cb61 Mailbox 103738->103742 103774 56d7a5 103738->103774 103740 56cf2e 103813 56d8c8 92 API calls Mailbox 103740->103813 103742->103713 103744 56cf3d 103746 56cdc7 103744->103746 103747 56cf49 103744->103747 103745 56cbb2 Mailbox 103745->103742 103748 4f9837 84 API calls 103745->103748 103761 56cdb9 103745->103761 103806 56fbce 59 API calls 2 library calls 103745->103806 103807 56cfdf 61 API calls 2 library calls 103745->103807 103787 56c96e 103746->103787 103747->103742 103748->103745 103753 56ce00 103802 510c08 103753->103802 103756 56ce33 103759 4f92ce 59 API calls 103756->103759 103757 56ce1a 103808 559e4a 89 API calls 4 library calls 103757->103808 103762 56ce3f 103759->103762 103760 56ce25 GetCurrentProcess TerminateProcess 103760->103756 103761->103740 103761->103746 103763 4f9050 59 API calls 103762->103763 103764 56ce55 103763->103764 103773 56ce7c 103764->103773 103809 4f8d40 59 API calls Mailbox 103764->103809 103766 56cfa4 103766->103742 103768 56cfb8 FreeLibrary 103766->103768 103767 56ce6b 103810 56d649 107 API calls _free 103767->103810 103768->103742 103773->103766 103811 4f8d40 59 API calls Mailbox 103773->103811 103812 4f9d3c 60 API calls Mailbox 103773->103812 103814 56d649 107 API calls _free 103773->103814 103775 4f7e4f 59 API calls 103774->103775 103776 56d7c0 CharLowerBuffW 103775->103776 103815 54f167 103776->103815 103780 4f7667 59 API calls 103781 56d7f9 103780->103781 103782 4f784b 59 API calls 103781->103782 103783 56d810 103782->103783 103784 4f7d2c 59 API calls 103783->103784 103785 56d81c Mailbox 103784->103785 103786 56d858 Mailbox 103785->103786 103822 56cfdf 61 API calls 2 library calls 103785->103822 103786->103745 103788 56c989 103787->103788 103789 56c9de 103787->103789 103790 510db6 Mailbox 59 API calls 103788->103790 103793 56da50 103789->103793 103792 56c9ab 103790->103792 103791 510db6 Mailbox 59 API calls 103791->103792 103792->103789 103792->103791 103794 56dc79 Mailbox 103793->103794 103798 56da73 _strcat _wcscpy __NMSG_WRITE 103793->103798 103794->103753 103795 4f9b98 59 API calls 103795->103798 103796 4f9be6 59 API calls 103796->103798 103797 4f9b3c 59 API calls 103797->103798 103798->103794 103798->103795 103798->103796 103798->103797 103799 51571c 58 API calls __crtLCMapStringA_stat 103798->103799 103800 4f9837 84 API calls 103798->103800 103825 555887 61 API calls 2 library calls 103798->103825 103799->103798 103800->103798 103804 510c1d 103802->103804 103803 510cb5 VirtualProtect 103805 510c83 103803->103805 103804->103803 103804->103805 103805->103756 103805->103757 103806->103745 103807->103745 103808->103760 103809->103767 103810->103773 103811->103773 103812->103773 103813->103744 103814->103773 103816 54f192 __NMSG_WRITE 103815->103816 103817 54f1d1 103816->103817 103820 54f1c7 103816->103820 103821 54f278 103816->103821 103817->103780 103817->103785 103820->103817 103823 4f78c4 61 API calls 103820->103823 103821->103817 103824 4f78c4 61 API calls 103821->103824 103822->103786 103823->103820 103824->103821 103825->103798

                                              Executed Functions

                                              Function 004F3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004F3B68
                                              • IsDebuggerPresent.KERNEL32 ref: 004F3B7A
                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,005B52F8,005B52E0,?,?), ref: 004F3BEB
                                                • Part of subcall function 004F7BCC: _memmove.LIBCMT ref: 004F7C06
                                                • Part of subcall function 0050092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,004F3C14,005B52F8,?,?,?), ref: 0050096E
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 004F3C6F
                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,005A7770,00000010), ref: 0052D281
                                              • SetCurrentDirectoryW.KERNEL32(?,005B52F8,?,?,?), ref: 0052D2B9
                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,005A4260,005B52F8,?,?,?), ref: 0052D33F
                                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 0052D346
                                                • Part of subcall function 004F3A46: GetSysColorBrush.USER32(0000000F), ref: 004F3A50
                                                • Part of subcall function 004F3A46: LoadCursorW.USER32(00000000,00007F00), ref: 004F3A5F
                                                • Part of subcall function 004F3A46: LoadIconW.USER32(00000063), ref: 004F3A76
                                                • Part of subcall function 004F3A46: LoadIconW.USER32(000000A4), ref: 004F3A88
                                                • Part of subcall function 004F3A46: LoadIconW.USER32(000000A2), ref: 004F3A9A
                                                • Part of subcall function 004F3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004F3AC0
                                                • Part of subcall function 004F3A46: RegisterClassExW.USER32(?), ref: 004F3B16
                                                • Part of subcall function 004F39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004F3A03
                                                • Part of subcall function 004F39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004F3A24
                                                • Part of subcall function 004F39D5: ShowWindow.USER32(00000000,?,?), ref: 004F3A38
                                                • Part of subcall function 004F39D5: ShowWindow.USER32(00000000,?,?), ref: 004F3A41
                                                • Part of subcall function 004F434A: _memset.LIBCMT ref: 004F4370
                                                • Part of subcall function 004F434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004F4415
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                              • String ID: This is a third-party compiled AutoIt script.$runas$%X
                                              • API String ID: 529118366-3455129907
                                              • Opcode ID: 25a94be3fca3050e31bcdb9f66fec087519640c76844a078530a28698c8e2814
                                              • Instruction ID: 1374ef5c3c58ac2c93611ee9a57fe4a6345a879cb9fb11fe09e5a0901fd7c74b
                                              • Opcode Fuzzy Hash: 25a94be3fca3050e31bcdb9f66fec087519640c76844a078530a28698c8e2814
                                              • Instruction Fuzzy Hash: E651773590824CAADF05EFB5EC05EFEBF74FF15304F00416AF611A22A1DA786649EB25
                                              Function 004F3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151timewindowregistryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 004F36D2
                                              • KillTimer.USER32(?,00000001), ref: 004F36FC
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004F371F
                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 004F372A
                                              • CreatePopupMenu.USER32 ref: 004F373E
                                              • PostQuitMessage.USER32(00000000), ref: 004F374D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                              • String ID: TaskbarCreated$%X
                                              • API String ID: 157504867-764208368
                                              • Opcode ID: 954b476d5fdec90540948b8f77a03f488410eec434faacffb50b5c213c19b647
                                              • Instruction ID: 984f030bb16f7bb13c6db02a3c2d57f424ed2ccf66c7af1381825cb3db8351ad
                                              • Opcode Fuzzy Hash: 954b476d5fdec90540948b8f77a03f488410eec434faacffb50b5c213c19b647
                                              • Instruction Fuzzy Hash: A6410AB110050DABDB28AF64EC0DB7A3AD4FB51302F100126F702D63E1EA696D49A76A
                                              Function 004F49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetVersionExW.KERNEL32(?), ref: 004F49CD
                                                • Part of subcall function 004F7BCC: _memmove.LIBCMT ref: 004F7C06
                                              • GetCurrentProcess.KERNEL32(?,0057FAEC,00000000,00000000,?), ref: 004F4A9A
                                              • IsWow64Process.KERNEL32(00000000), ref: 004F4AA1
                                              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 004F4AE7
                                              • FreeLibrary.KERNEL32(00000000), ref: 004F4AF2
                                              • GetSystemInfo.KERNEL32(00000000), ref: 004F4B23
                                              • GetSystemInfo.KERNEL32(00000000), ref: 004F4B2F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                              • String ID:
                                              • API String ID: 1986165174-0
                                              • Opcode ID: 2a8f92becf24463cf4f86135824413eee2abf480d374983ca789902826faf178
                                              • Instruction ID: a45dd42a21ca20e82ffd94b412168c611e98161b082cef4bb5d96f5924228c94
                                              • Opcode Fuzzy Hash: 2a8f92becf24463cf4f86135824413eee2abf480d374983ca789902826faf178
                                              • Instruction Fuzzy Hash: B891F83198DBC4DEC731CBA894501BBBFF5BF6A300B48495ED1CA43A41D628B548D76E
                                              Function 004F4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 004F4E99
                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004F4D8E,?,?,00000000,00000000), ref: 004F4EB0
                                              • LoadResource.KERNEL32(?,00000000,?,?,004F4D8E,?,?,00000000,00000000,?,?,?,?,?,?,004F4E2F), ref: 0052D937
                                              • SizeofResource.KERNEL32(?,00000000,?,?,004F4D8E,?,?,00000000,00000000,?,?,?,?,?,?,004F4E2F), ref: 0052D94C
                                              • LockResource.KERNEL32(004F4D8E,?,?,004F4D8E,?,?,00000000,00000000,?,?,?,?,?,?,004F4E2F,00000000), ref: 0052D95F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                              • String ID: SCRIPT
                                              • API String ID: 3051347437-3967369404
                                              • Opcode ID: 901e9c1829c1b7d08fae7bc3e405295b8065a9a3bc55ca07c5458f0955c36a5f
                                              • Instruction ID: f16a09384e5470b4aaca40e282dea7784b0245a23fbe6351ae9314a3cae575bf
                                              • Opcode Fuzzy Hash: 901e9c1829c1b7d08fae7bc3e405295b8065a9a3bc55ca07c5458f0955c36a5f
                                              • Instruction Fuzzy Hash: F7115E75240704BFD7218B65EC48F677BBAFFC5B11F204269F60986250DB61EC44E661
                                              Function 004FFCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID: pb[$%X
                                              • API String ID: 3964851224-2530992240
                                              • Opcode ID: 456cce3f2af52d86166b7aa3976d346f8ae37771262d00a6e5143243645b9e18
                                              • Instruction ID: dedc4dcf8128936e1be6fe20882ac387fbd34a1ee8f77bfbca37f2b39e31ace9
                                              • Opcode Fuzzy Hash: 456cce3f2af52d86166b7aa3976d346f8ae37771262d00a6e5143243645b9e18
                                              • Instruction Fuzzy Hash: 639268746083418FD720DF24C484B6ABBE5BF89304F14996DE98A8B3A2D775EC45CF92
                                              Function 00641A40 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(?), ref: 00641B7A
                                              • GetProcAddress.KERNEL32(?,0063AFF9), ref: 00641B98
                                              • ExitProcess.KERNEL32(?,0063AFF9), ref: 00641BA9
                                              • VirtualProtect.KERNELBASE(004F0000,00001000,00000004,?,00000000), ref: 00641BF7
                                              • VirtualProtect.KERNELBASE(004F0000,00001000), ref: 00641C0C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                              • String ID:
                                              • API String ID: 1996367037-0
                                              • Opcode ID: b5ab2233e2930c4138aaa005b9997b59c90f3246ce83976168dbdfb1b56fe7e6
                                              • Instruction ID: 73420783e2e77a2d731a1800b679b3597c79828f0b01df316484aaf409577172
                                              • Opcode Fuzzy Hash: b5ab2233e2930c4138aaa005b9997b59c90f3246ce83976168dbdfb1b56fe7e6
                                              • Instruction Fuzzy Hash: 9C510572A553568BD7218EB8CC806E07BA6EB5336472C0778C5E6CF3C5F7A458C68760
                                              Function 0055445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,0052E398), ref: 0055446A
                                              • FindFirstFileW.KERNELBASE(?,?), ref: 0055447B
                                              • FindClose.KERNEL32(00000000), ref: 0055448B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: FileFind$AttributesCloseFirst
                                              • String ID:
                                              • API String ID: 48322524-0
                                              • Opcode ID: 8b875f944bb66d2c7cd5ed42a51c1e7c745d322ee8ec4de243077863a36569a1
                                              • Instruction ID: 6278574f50624ce6bceed5c0a888e1028132969839d2f63632b83ce139fe51f7
                                              • Opcode Fuzzy Hash: 8b875f944bb66d2c7cd5ed42a51c1e7c745d322ee8ec4de243077863a36569a1
                                              • Instruction Fuzzy Hash: B2E0D837414500A74610AB38FC0D4ED7B5CAF1533AF100B16FC3AC10D0E7745988BB95
                                              Function 005009D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00500A5B
                                              • timeGetTime.WINMM ref: 00500D16
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00500E53
                                              • Sleep.KERNEL32(0000000A), ref: 00500E61
                                              • LockWindowUpdate.USER32(00000000,?,?), ref: 00500EFA
                                              • DestroyWindow.USER32 ref: 00500F06
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00500F20
                                              • Sleep.KERNEL32(0000000A,?,?), ref: 00534E83
                                              • TranslateMessage.USER32(?), ref: 00535C60
                                              • DispatchMessageW.USER32(?), ref: 00535C6E
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00535C82
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb[$pb[$pb[$pb[
                                              • API String ID: 4212290369-273532531
                                              • Opcode ID: fb8dca3842dcf16cfba9c74e770ad60523b850bebe10282185765e8f6a0b7f12
                                              • Instruction ID: 26c3464cb72eab44c5f7412b33f24a8b979aa834d6a536b6572d2cdab8f78682
                                              • Opcode Fuzzy Hash: fb8dca3842dcf16cfba9c74e770ad60523b850bebe10282185765e8f6a0b7f12
                                              • Instruction Fuzzy Hash: 18B2A070608741DFD728DF24C885BAEBBE4BF84304F14591EE589972E1DB74E888DB92
                                              Function 00559155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00558F5F: __time64.LIBCMT ref: 00558F69
                                                • Part of subcall function 004F4EE5: _fseek.LIBCMT ref: 004F4EFD
                                              • __wsplitpath.LIBCMT ref: 00559234
                                                • Part of subcall function 005140FB: __wsplitpath_helper.LIBCMT ref: 0051413B
                                              • _wcscpy.LIBCMT ref: 00559247
                                              • _wcscat.LIBCMT ref: 0055925A
                                              • __wsplitpath.LIBCMT ref: 0055927F
                                              • _wcscat.LIBCMT ref: 00559295
                                              • _wcscat.LIBCMT ref: 005592A8
                                                • Part of subcall function 00558FA5: _memmove.LIBCMT ref: 00558FDE
                                                • Part of subcall function 00558FA5: _memmove.LIBCMT ref: 00558FED
                                              • _wcscmp.LIBCMT ref: 005591EF
                                                • Part of subcall function 00559734: _wcscmp.LIBCMT ref: 00559824
                                                • Part of subcall function 00559734: _wcscmp.LIBCMT ref: 00559837
                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00559452
                                              • _wcsncpy.LIBCMT ref: 005594C5
                                              • DeleteFileW.KERNEL32(?,?), ref: 005594FB
                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00559511
                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00559522
                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00559534
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                              • String ID:
                                              • API String ID: 1500180987-0
                                              • Opcode ID: e446823105562ac8af9ab14a923ba09aacc8bc57728c4ace31e45989a37aafe4
                                              • Instruction ID: 3f47124ba75e5952b785284af630f1e6594629d51a06731b214ba297eb663a52
                                              • Opcode Fuzzy Hash: e446823105562ac8af9ab14a923ba09aacc8bc57728c4ace31e45989a37aafe4
                                              • Instruction Fuzzy Hash: 75C13DB1D00119AADF11DF95CC95AEEBBBDFF85310F0044ABF609E6141EB349A888F65
                                              Function 004F708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005B52F8,?,004F37AE,?), ref: 004F4724
                                                • Part of subcall function 0051050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,004F7165), ref: 0051052D
                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004F71A8
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0052E8C8
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0052E909
                                              • RegCloseKey.ADVAPI32(?), ref: 0052E947
                                              • _wcscat.LIBCMT ref: 0052E9A0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                              • API String ID: 2673923337-2727554177
                                              • Opcode ID: cf451b7bab0ed03e3274da25b6f497a90013915abe81ce2505f58f3808a176d4
                                              • Instruction ID: 1b6509a4ba84907cb7fe64da261725da6405a7c743e23a175023a1e5950d52fe
                                              • Opcode Fuzzy Hash: cf451b7bab0ed03e3274da25b6f497a90013915abe81ce2505f58f3808a176d4
                                              • Instruction Fuzzy Hash: F071C2750083059EE744EF25EC819ABFBE8FF95310F40062EF545C72A0DB78A988DB56
                                              Function 004F3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 004F3A50
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004F3A5F
                                              • LoadIconW.USER32(00000063), ref: 004F3A76
                                              • LoadIconW.USER32(000000A4), ref: 004F3A88
                                              • LoadIconW.USER32(000000A2), ref: 004F3A9A
                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004F3AC0
                                              • RegisterClassExW.USER32(?), ref: 004F3B16
                                                • Part of subcall function 004F3041: GetSysColorBrush.USER32(0000000F), ref: 004F3074
                                                • Part of subcall function 004F3041: RegisterClassExW.USER32(00000030), ref: 004F309E
                                                • Part of subcall function 004F3041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 004F30AF
                                                • Part of subcall function 004F3041: LoadIconW.USER32(000000A9), ref: 004F30F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                              • String ID: #$0$AutoIt v3
                                              • API String ID: 2880975755-4155596026
                                              • Opcode ID: 025ae9a56d87f9bd62e11c2bdabfd2ae34ddb377621e829e1b39ee14d0aeb7b1
                                              • Instruction ID: d83a9b7e3947329b869a62f44c4560a3e69b4ce4a9a7dfeadba1fa048d2afba0
                                              • Opcode Fuzzy Hash: 025ae9a56d87f9bd62e11c2bdabfd2ae34ddb377621e829e1b39ee14d0aeb7b1
                                              • Instruction Fuzzy Hash: 9E215174D01308AFEF59DFA4EC45B9DBBB0FB18711F00421AF504A62A1E7B56948AF94
                                              Function 004F3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R[
                                              • API String ID: 1825951767-1768273904
                                              • Opcode ID: 74d3b4c987fca606d7ffb81af5573764adfa27d21940d046adb06cdb0682a078
                                              • Instruction ID: 93c46e3a1da1b9b6b0eb2f2bd526844e953fa654802496b88beba713af21128d
                                              • Opcode Fuzzy Hash: 74d3b4c987fca606d7ffb81af5573764adfa27d21940d046adb06cdb0682a078
                                              • Instruction Fuzzy Hash: 01A15A7191022D9ACB04EFA1DC95EFEBBB8BF14304F40052EF615A7191EF786A08CB64
                                              Function 004F3015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73registrywindowclipboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 004F3074
                                              • RegisterClassExW.USER32(00000030), ref: 004F309E
                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 004F30AF
                                              • LoadIconW.USER32(000000A9), ref: 004F30F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                              • API String ID: 975902462-1005189915
                                              • Opcode ID: 8f28547be1ec820d1d5accf025970c88d0736db524d76e6b4bec31b0e78f3c75
                                              • Instruction ID: f5f3bb5c86a13ff2115be2672de1f68102acb42a03b067115a8680f137480896
                                              • Opcode Fuzzy Hash: 8f28547be1ec820d1d5accf025970c88d0736db524d76e6b4bec31b0e78f3c75
                                              • Instruction Fuzzy Hash: D9316A71845344AFDB40CFA4EC89B9DBBF0FB19310F24462EF584A62A0E3B51588EF50
                                              Function 004F3041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 004F3074
                                              • RegisterClassExW.USER32(00000030), ref: 004F309E
                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 004F30AF
                                              • LoadIconW.USER32(000000A9), ref: 004F30F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                              • API String ID: 975902462-1005189915
                                              • Opcode ID: e7ae85e0e30ec60c077bc38918efceb1cdcb890a9dfacfd0280d07fb4a600267
                                              • Instruction ID: ec04b10d85c20ce799d4c2f67c8d484f1e821ba7d48d4146357b1d21f5e6e705
                                              • Opcode Fuzzy Hash: e7ae85e0e30ec60c077bc38918efceb1cdcb890a9dfacfd0280d07fb4a600267
                                              • Instruction Fuzzy Hash: 1221F7B1901208AFDB44DFA4FC49B9DBBF4FB18700F10822AF515A62A0E7B15588EF91
                                              Function 004FF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00510162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00510193
                                                • Part of subcall function 00510162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0051019B
                                                • Part of subcall function 00510162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005101A6
                                                • Part of subcall function 00510162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005101B1
                                                • Part of subcall function 00510162: MapVirtualKeyW.USER32(00000011,00000000), ref: 005101B9
                                                • Part of subcall function 00510162: MapVirtualKeyW.USER32(00000012,00000000), ref: 005101C1
                                                • Part of subcall function 005060F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00506154
                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004FF9CD
                                              • OleInitialize.OLE32(00000000), ref: 004FFA4A
                                              • CloseHandle.KERNEL32(00000000), ref: 005345C8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                              • String ID: <W[$\T[$%X$S[
                                              • API String ID: 3094916012-1184744913
                                              • Opcode ID: bd42aa3274beb81eb7c649f89e968fc753b4f1e3025bb344712f572381158722
                                              • Instruction ID: ec6f76e8feaedf97df5551f86a27b80fb1cc3b2a5afef635d63c37dab104c39b
                                              • Opcode Fuzzy Hash: bd42aa3274beb81eb7c649f89e968fc753b4f1e3025bb344712f572381158722
                                              • Instruction Fuzzy Hash: 4C81DFB0901A408FCBDDEF39A8557597BE5FBA8346760862A9008CB361FB74248DAF14
                                              Function 017C2D28 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 017C2D6D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1446052818.00000000017C2000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C2000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c2000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                              • Instruction ID: 580ae228f086c110b64482900f0fcea06c09b92a8bd06908cd1033001ebc4b8b
                                              • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                              • Instruction Fuzzy Hash: 4251F875A50208FFEF60DFA4CC49FDEB778AF4CB40F108558F61AEA181DA749A448B60
                                              Function 004F39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004F3A03
                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004F3A24
                                              • ShowWindow.USER32(00000000,?,?), ref: 004F3A38
                                              • ShowWindow.USER32(00000000,?,?), ref: 004F3A41
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$CreateShow
                                              • String ID: AutoIt v3$edit
                                              • API String ID: 1584632944-3779509399
                                              • Opcode ID: ca640faf86708dd850b633af62344a7b818de8b99ead9d523a4e12784ee3c0c4
                                              • Instruction ID: 3a730c804334fb5cfbe164a89b640e61258832ff8379d373fc36109ef163bea7
                                              • Opcode Fuzzy Hash: ca640faf86708dd850b633af62344a7b818de8b99ead9d523a4e12784ee3c0c4
                                              • Instruction Fuzzy Hash: B6F03A745022907EEAB59B237C09F2B6E7DE7D6F50F00422AB904A2270D2612844FAB0
                                              Function 004F686A Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005B52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004F4E0F
                                              • _free.LIBCMT ref: 0052E263
                                              • _free.LIBCMT ref: 0052E2AA
                                                • Part of subcall function 004F6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 004F6BAD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                              • String ID: /vO$>>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                              • API String ID: 2861923089-3331917774
                                              • Opcode ID: 9efd9d1d52e646df7523cbcdb1a94dfafb4089794e0fd992680b9a68fc4e44b6
                                              • Instruction ID: de82cc5dd171876ef0fa435cb30e7ff7de2d284895288defe7e303fea2a49f8f
                                              • Opcode Fuzzy Hash: 9efd9d1d52e646df7523cbcdb1a94dfafb4089794e0fd992680b9a68fc4e44b6
                                              • Instruction Fuzzy Hash: 9D91907190022EEFCF04EFA5DC468EDBBB8FF05314B10442AF916AB2A1DB749955CB50
                                              Function 004F407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0052D3D7
                                                • Part of subcall function 004F7BCC: _memmove.LIBCMT ref: 004F7C06
                                              • _memset.LIBCMT ref: 004F40FC
                                              • _wcscpy.LIBCMT ref: 004F4150
                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004F4160
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                              • String ID: Line:
                                              • API String ID: 3942752672-1585850449
                                              • Opcode ID: 9d3480d44a7e3b68f7ee3ce47b7141cd450235abe940298262e581b6b946d6e5
                                              • Instruction ID: dd2d9f0206dc265bac662532844df98bf8b20a1404c61700aab1dafa9ee141ac
                                              • Opcode Fuzzy Hash: 9d3480d44a7e3b68f7ee3ce47b7141cd450235abe940298262e581b6b946d6e5
                                              • Instruction Fuzzy Hash: BE31C3710083086FD365EB60DC45FEB77D8AF54308F10451FF68582091EF78A648C79A
                                              Function 0051541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                              • String ID:
                                              • API String ID: 1559183368-0
                                              • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                              • Instruction ID: c1889139ef81d8c1001859df4ceb5efb390713f3efb23716b7c1efd791bee4aa
                                              • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                              • Instruction Fuzzy Hash: 0C51A870A00B05DBEF248E69D8446EE7FA7BFC1321F248729F825962D1E7B09DD08B40
                                              Function 017C47F8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 017C46E8: Sleep.KERNELBASE(000001F4), ref: 017C46F9
                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017C4928
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1446052818.00000000017C2000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C2000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c2000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CreateFileSleep
                                              • String ID: LXH3X16F0KL8Y
                                              • API String ID: 2694422964-4273474704
                                              • Opcode ID: f7ee32792087ac1f2e7aa0f3f5a1c898e545a4553e588d232f6462d8782018d4
                                              • Instruction ID: 28b5386d4d0f1abb31817ad0ad19c8e428cb79956a3d2ee295cfc3499e39f875
                                              • Opcode Fuzzy Hash: f7ee32792087ac1f2e7aa0f3f5a1c898e545a4553e588d232f6462d8782018d4
                                              • Instruction Fuzzy Hash: AD517D30D14258DBEF11DBB4C858BEEBA79AF19700F00459DE609BB2C0DB794B45CB65
                                              Function 004F35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004F35A1,SwapMouseButtons,00000004,?), ref: 004F35D4
                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,004F35A1,SwapMouseButtons,00000004,?,?,?,?,004F2754), ref: 004F35F5
                                              • RegCloseKey.KERNELBASE(00000000,?,?,004F35A1,SwapMouseButtons,00000004,?,?,?,?,004F2754), ref: 004F3617
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID: Control Panel\Mouse
                                              • API String ID: 3677997916-824357125
                                              • Opcode ID: 392051873c8956620b9b450d3dc855821c98eee8b44f865caa7a57a783f68a56
                                              • Instruction ID: 9ce442daf766895014e9405e7f6cc80dc8c19b8a693ad009f156fa7217f97ca8
                                              • Opcode Fuzzy Hash: 392051873c8956620b9b450d3dc855821c98eee8b44f865caa7a57a783f68a56
                                              • Instruction Fuzzy Hash: 13113671510208BAEF20CF64E8449BFB7A8EF04741F00446AA909D7210D2719E44A764
                                              Function 0055955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F4EE5: _fseek.LIBCMT ref: 004F4EFD
                                                • Part of subcall function 00559734: _wcscmp.LIBCMT ref: 00559824
                                                • Part of subcall function 00559734: _wcscmp.LIBCMT ref: 00559837
                                              • _free.LIBCMT ref: 005596A2
                                              • _free.LIBCMT ref: 005596A9
                                              • _free.LIBCMT ref: 00559714
                                                • Part of subcall function 00512D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00519A24), ref: 00512D69
                                                • Part of subcall function 00512D55: GetLastError.KERNEL32(00000000,?,00519A24), ref: 00512D7B
                                              • _free.LIBCMT ref: 0055971C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                              • String ID:
                                              • API String ID: 1552873950-0
                                              • Opcode ID: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                              • Instruction ID: 005c1f6c997a51a5dca949c55075c6d4531301ea08cbffba7de15c28736c001a
                                              • Opcode Fuzzy Hash: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                              • Instruction Fuzzy Hash: 01517EB1904219ABDF249F65DC85AAEBB79FF88300F00049EF609A3241DB755A94CF58
                                              Function 0051470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                              • String ID:
                                              • API String ID: 2782032738-0
                                              • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                              • Instruction ID: 2e894ec3e5a50002eddc7fbbea5802194c59c984405db1c9f3db8cf4aff9ed28
                                              • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                              • Instruction Fuzzy Hash: ED41A475A00746ABFB188E69C8949EE7FA5FF81360B24953DE815C7680D770DDC18F50
                                              Function 004F4C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID: AU3!P/X$EA06
                                              • API String ID: 4104443479-3130373682
                                              • Opcode ID: a57fc7f41548b0a374b345ab0f301d90838d8c8eea7c3992d2b20d1b1e51e2ad
                                              • Instruction ID: 2286440185c2888b19ae2a34bf4844c2cd18397c639e1826fba7433ed3386818
                                              • Opcode Fuzzy Hash: a57fc7f41548b0a374b345ab0f301d90838d8c8eea7c3992d2b20d1b1e51e2ad
                                              • Instruction Fuzzy Hash: 15416C21A0419C57DF219B5488917BF7FB5DBC6304F28446BEF829B382DE2C5E4583A6
                                              Function 004F7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0052EA39
                                              • 762ED0D0.COMDLG32(?), ref: 0052EA83
                                                • Part of subcall function 004F4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F4743,?,?,004F37AE,?), ref: 004F4770
                                                • Part of subcall function 00510791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005107B0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: NamePath$FullLong_memset
                                              • String ID: X
                                              • API String ID: 3051022977-3081909835
                                              • Opcode ID: 1165048f9707e5f4bf1c5dac6134bd4af6e387e40e5706a1823651adacc06fb3
                                              • Instruction ID: fd7b634e5de1580af8160669f6e40197c7e24b3f72535a1b7e15b19f5428d5d7
                                              • Opcode Fuzzy Hash: 1165048f9707e5f4bf1c5dac6134bd4af6e387e40e5706a1823651adacc06fb3
                                              • Instruction Fuzzy Hash: 31218171A002589BDF419F94D849BFE7FF8BF49714F00405AE508A7281DBB859898FA5
                                              Function 00558D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __fread_nolock_memmove
                                              • String ID: EA06
                                              • API String ID: 1988441806-3962188686
                                              • Opcode ID: 48448a6baee12a672ba6aa225e591dcfbd7b054ab7e7c66ffa1568cfa7f55274
                                              • Instruction ID: 757d66dec4f5fdb9d0ea984236b70608514673edbc8e7a211c741074c354db89
                                              • Opcode Fuzzy Hash: 48448a6baee12a672ba6aa225e591dcfbd7b054ab7e7c66ffa1568cfa7f55274
                                              • Instruction Fuzzy Hash: 4B01FE718042187EDB14C6A8C816EFD7FF8DB11301F00455BF552D2181E875A6088760
                                              Function 00510DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0051571C: __FF_MSGBANNER.LIBCMT ref: 00515733
                                                • Part of subcall function 0051571C: __NMSG_WRITE.LIBCMT ref: 0051573A
                                                • Part of subcall function 0051571C: RtlAllocateHeap.NTDLL(01780000,00000000,00000001), ref: 0051575F
                                              • std::exception::exception.LIBCMT ref: 00510DEC
                                              • __CxxThrowException@8.LIBCMT ref: 00510E01
                                                • Part of subcall function 0051859B: RaiseException.KERNEL32(?,?,00000000,005A9E78,?,00000001,?,?,?,00510E06,00000000,005A9E78,004F9E8C,00000001), ref: 005185F0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                              • String ID: bad allocation
                                              • API String ID: 3902256705-2104205924
                                              • Opcode ID: 0ee3b4bb357bdc40a221c6c4da6e2e92c9517354120dc42e0badd559ac6e9d6c
                                              • Instruction ID: faf243320ccb91bead24d6a85151c39aad2d4cf7ae8e0993c3767ec546631247
                                              • Opcode Fuzzy Hash: 0ee3b4bb357bdc40a221c6c4da6e2e92c9517354120dc42e0badd559ac6e9d6c
                                              • Instruction Fuzzy Hash: A9F0D13580021E66EB20BA94EC099EE7FECBF41350F000829FC15A61C1DFB09AC18291
                                              Function 017C3408 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 017C344D
                                              • ExitProcess.KERNEL32(00000000), ref: 017C346C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1446052818.00000000017C2000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C2000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c2000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Process$CreateExit
                                              • String ID: D
                                              • API String ID: 126409537-2746444292
                                              • Opcode ID: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
                                              • Instruction ID: 602d519f2885ab0238a7f688f0b5453f35b9f5f2f5b3c6476b93eefb34b7c8d6
                                              • Opcode Fuzzy Hash: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
                                              • Instruction Fuzzy Hash: 81F0ECB594024CABDB60EFE4CC49FEEB778BF04B01F40850DBB0A9A184DA7496088B65
                                              Function 005598E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTempPathW.KERNEL32(00000104,?), ref: 005598F8
                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0055990F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Temp$FileNamePath
                                              • String ID: aut
                                              • API String ID: 3285503233-3010740371
                                              • Opcode ID: ef5415a2015d2c664bb5e635d3fef9cbb00578925e1e6e8d7d4fb3789e8f5eed
                                              • Instruction ID: 54d7b4fc58852ca94614857e64a7d149c50946f0d7bd2611781a289fb75c6b0c
                                              • Opcode Fuzzy Hash: ef5415a2015d2c664bb5e635d3fef9cbb00578925e1e6e8d7d4fb3789e8f5eed
                                              • Instruction Fuzzy Hash: E6D05B7954030D6BDB50DB90EC0DFAA773CE714700F0006B1BA54910A1ED7055989B91
                                              Function 0056CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0064194955531f831aec2d7ad9c0bff1621c07dffd5b9743d9873b880ce101ab
                                              • Instruction ID: d4cd46f82c369585fad6188f527283e6529c346dc8d05ad31f5e963f8ccdc4c8
                                              • Opcode Fuzzy Hash: 0064194955531f831aec2d7ad9c0bff1621c07dffd5b9743d9873b880ce101ab
                                              • Instruction Fuzzy Hash: 9FF16770A083459FCB14DF29C484A6ABBE5FF88318F14892EF8999B351D735E945CF82
                                              Function 004F434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 004F4370
                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 004F4415
                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 004F4432
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_$_memset
                                              • String ID:
                                              • API String ID: 1505330794-0
                                              • Opcode ID: 8ec072ecf3140d777e3d2b0387f929f9a7c9c469e499744efe9627e85d03a4f1
                                              • Instruction ID: 2b26c21c845280053d08924c0334840f78192de60a0e588aac712b9934b69bfa
                                              • Opcode Fuzzy Hash: 8ec072ecf3140d777e3d2b0387f929f9a7c9c469e499744efe9627e85d03a4f1
                                              • Instruction Fuzzy Hash: 9331C3705057058FC764DF24D8847ABBBF8FF98308F000A2EE68A82351EB75A948DB56
                                              Function 0051571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __FF_MSGBANNER.LIBCMT ref: 00515733
                                                • Part of subcall function 0051A16B: __NMSG_WRITE.LIBCMT ref: 0051A192
                                                • Part of subcall function 0051A16B: __NMSG_WRITE.LIBCMT ref: 0051A19C
                                              • __NMSG_WRITE.LIBCMT ref: 0051573A
                                                • Part of subcall function 0051A1C8: GetModuleFileNameW.KERNEL32(00000000,005B33BA,00000104,00000000,00000001,00000000), ref: 0051A25A
                                                • Part of subcall function 0051A1C8: ___crtMessageBoxW.LIBCMT ref: 0051A308
                                                • Part of subcall function 0051309F: ___crtCorExitProcess.LIBCMT ref: 005130A5
                                                • Part of subcall function 0051309F: ExitProcess.KERNEL32 ref: 005130AE
                                                • Part of subcall function 00518B28: __getptd_noexit.LIBCMT ref: 00518B28
                                              • RtlAllocateHeap.NTDLL(01780000,00000000,00000001), ref: 0051575F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                              • String ID:
                                              • API String ID: 1372826849-0
                                              • Opcode ID: 6880b340239911ece9277a56abdeb979b22e6f4f320622260e285d62624cdd1c
                                              • Instruction ID: 211614d53f7cf929ca1a5b575defdf6f3abb47fda8da96f215b1052235cb53d8
                                              • Opcode Fuzzy Hash: 6880b340239911ece9277a56abdeb979b22e6f4f320622260e285d62624cdd1c
                                              • Instruction Fuzzy Hash: 1B019635244A02DAF7112734EC57BF97F48FBD17A1F500925F415A61D1EFB0A8C09761
                                              Function 005598A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00559548,?,?,?,?,?,00000004), ref: 005598BB
                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00559548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 005598D1
                                              • CloseHandle.KERNEL32(00000000,?,00559548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005598D8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: File$CloseCreateHandleTime
                                              • String ID:
                                              • API String ID: 3397143404-0
                                              • Opcode ID: 4f0f48255f41cd9e3db8df5b56c9738381164ab66cf20ac2eafeaa1035058466
                                              • Instruction ID: fa6ad6e101662824244774243be0798db5decd52d7c3c9b8e4c8535110dbd638
                                              • Opcode Fuzzy Hash: 4f0f48255f41cd9e3db8df5b56c9738381164ab66cf20ac2eafeaa1035058466
                                              • Instruction Fuzzy Hash: 28E08632141224F7D7215B64FC09FCA7F59AB16761F104120FB18690E087B11555F798
                                              Function 00558D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00558D1B
                                                • Part of subcall function 00512D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00519A24), ref: 00512D69
                                                • Part of subcall function 00512D55: GetLastError.KERNEL32(00000000,?,00519A24), ref: 00512D7B
                                              • _free.LIBCMT ref: 00558D2C
                                              • _free.LIBCMT ref: 00558D3E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                              • Instruction ID: e524b67fe3bc58bd4e6b5d495745fd7770cbcb014784c750b224a635f37e3ddc
                                              • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                              • Instruction Fuzzy Hash: A8E012A160160246DB24A5B8F944AE71BFC6F98353B54091EB80DE7196DF64F8978124
                                              Function 004FA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: CALL
                                              • API String ID: 0-4196123274
                                              • Opcode ID: 9b841bf1c2ea1569c2a6ff09216440fc00f16e46d2f55bec941d82c9959644d9
                                              • Instruction ID: ef5362f4ae6c6aa9fe69e0f087d1cec625e1e885ed8dbbd51165807b87a28c94
                                              • Opcode Fuzzy Hash: 9b841bf1c2ea1569c2a6ff09216440fc00f16e46d2f55bec941d82c9959644d9
                                              • Instruction Fuzzy Hash: D22269B0508205DFD724DF14C494A7ABBE1BF85304F14896EEA8A8B3A1D739EC55CB86
                                              Function 004F7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
                                              • Instruction ID: e35e3c439e11ab9ae7bb31b47508a463390bc0c6533931454d8f0fbc37691757
                                              • Opcode Fuzzy Hash: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
                                              • Instruction Fuzzy Hash: 7D3104B160060AAFC700DF68C8C1D79B7A8FF49310715822AE619CB391EB78ED61CB94
                                              Function 004F47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • 74B1C8D0.UXTHEME ref: 004F4834
                                                • Part of subcall function 0051336C: __lock.LIBCMT ref: 00513372
                                                • Part of subcall function 0051336C: RtlDecodePointer.NTDLL(00000001), ref: 0051337E
                                                • Part of subcall function 0051336C: RtlEncodePointer.NTDLL(?), ref: 00513389
                                                • Part of subcall function 004F48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 004F4915
                                                • Part of subcall function 004F48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004F492A
                                                • Part of subcall function 004F3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004F3B68
                                                • Part of subcall function 004F3B3A: IsDebuggerPresent.KERNEL32 ref: 004F3B7A
                                                • Part of subcall function 004F3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,005B52F8,005B52E0,?,?), ref: 004F3BEB
                                                • Part of subcall function 004F3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 004F3C6F
                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004F4874
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                                              • String ID:
                                              • API String ID: 2688871447-0
                                              • Opcode ID: 5c98485045395d239e7598d8094e36f9ba25bdf9743bfa741d4ab33bbc11599b
                                              • Instruction ID: c0c06b29c2328d2153fe699971838dab7e5f58a3354228997b7bbd2b3d60de46
                                              • Opcode Fuzzy Hash: 5c98485045395d239e7598d8094e36f9ba25bdf9743bfa741d4ab33bbc11599b
                                              • Instruction Fuzzy Hash: 9B11AE718187059BCB04EF29E845A1AFFE8FBA4754F004A1FF14483271DB74A948DB96
                                              Function 005155FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __lock_file_memset
                                              • String ID:
                                              • API String ID: 26237723-0
                                              • Opcode ID: 56ab45373c9da884f565ac560918e2eb3547dec7a474107863d20db476f95e5d
                                              • Instruction ID: 257733173aac6f3306f1d6c6d47e8303d4bd883bbbc82ed6ed5a52c5f0ba79cc
                                              • Opcode Fuzzy Hash: 56ab45373c9da884f565ac560918e2eb3547dec7a474107863d20db476f95e5d
                                              • Instruction Fuzzy Hash: 8901847180060AEBEF22AF649C0A8EE7F61BFD1361F544115B8141A191EB318ED1DFD1
                                              Function 005153A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00518B28: __getptd_noexit.LIBCMT ref: 00518B28
                                              • __lock_file.LIBCMT ref: 005153EB
                                                • Part of subcall function 00516C11: __lock.LIBCMT ref: 00516C34
                                              • __fclose_nolock.LIBCMT ref: 005153F6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                              • String ID:
                                              • API String ID: 2800547568-0
                                              • Opcode ID: a92d4d69c914975280d4ff3d0ff9f19a2e15d565a83d974edddbdaa878873703
                                              • Instruction ID: 4b80d7bd9aa366053e95f990eb737596b329745bc9d5a9e35eb048fdfdef50ab
                                              • Opcode Fuzzy Hash: a92d4d69c914975280d4ff3d0ff9f19a2e15d565a83d974edddbdaa878873703
                                              • Instruction Fuzzy Hash: 0CF09631800A06DAFB206F6598097FD7EE07FC1375F248504A434AB1C1DBFC59C1AB51
                                              Function 017C3478 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 017C2CE8: GetFileAttributesW.KERNELBASE(?), ref: 017C2CF3
                                              • CreateDirectoryW.KERNELBASE(?,00000000), ref: 017C35E6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1446052818.00000000017C2000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C2000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c2000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AttributesCreateDirectoryFile
                                              • String ID:
                                              • API String ID: 3401506121-0
                                              • Opcode ID: 432adc5d54b51c9122426f9742c07da89d71d32e24cb8fac3bc1fdaec46f3076
                                              • Instruction ID: 70b1014474231c11dcaa7287b1ee914d5b3fdaa70552926993c628166d24ea66
                                              • Opcode Fuzzy Hash: 432adc5d54b51c9122426f9742c07da89d71d32e24cb8fac3bc1fdaec46f3076
                                              • Instruction Fuzzy Hash: 71617031A1020997EF14DFA4D854BEFB33AFF58700F00856DE609E7290EA769A45CBA5
                                              Function 00510C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction ID: da9a435c28aa2f59d6d0c4f587d0954bd185290bfc8b6181016919e81d5e2c94
                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction Fuzzy Hash: E231D570A001069BE718DF58C4C49A9FBA6FB99304B6497A5E80ACB391D7B1EDC1DFC0
                                              Function 0052FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ClearVariant
                                              • String ID:
                                              • API String ID: 1473721057-0
                                              • Opcode ID: 87c02a90e8f60361de8b803e37f746bc026879c2d17036d7ad3d1b145ef3f23c
                                              • Instruction ID: 4c49a2f4d6994456f8acc38e816dad4c9d7b02eb8abca27c13230760fb1294da
                                              • Opcode Fuzzy Hash: 87c02a90e8f60361de8b803e37f746bc026879c2d17036d7ad3d1b145ef3f23c
                                              • Instruction Fuzzy Hash: 444147745043459FDB24CF14C448B2ABBE1BF85318F0988ADE9998B362C335EC95CF96
                                              Function 004F7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: c3e53a9d68ed43cef99e680372e4c2a4c0e55cb9699587e9a427fd4f18322aca
                                              • Instruction ID: 3aed3c805806b81cd566d9f18f194e11b746da360de18e2c07ae4097124328ca
                                              • Opcode Fuzzy Hash: c3e53a9d68ed43cef99e680372e4c2a4c0e55cb9699587e9a427fd4f18322aca
                                              • Instruction Fuzzy Hash: 91216672A04A29EBDB108F51FC42ABA7FB8FF66350F20842EE546D51D0EB3098D0E745
                                              Function 004F4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 004F4BEF
                                                • Part of subcall function 0051525B: __wfsopen.LIBCMT ref: 00515266
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005B52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004F4E0F
                                                • Part of subcall function 004F4B6A: FreeLibrary.KERNEL32(00000000), ref: 004F4BA4
                                                • Part of subcall function 004F4C70: _memmove.LIBCMT ref: 004F4CBA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Library$Free$Load__wfsopen_memmove
                                              • String ID:
                                              • API String ID: 1396898556-0
                                              • Opcode ID: 9154940369e27b06fe4fa1ed0137670f9ff65aec0dea4917036340006bb91a3c
                                              • Instruction ID: 9e0729daac5744a0c57e2598e14af44b73f1d7b3b84b8e2ddc2d71e4d64d688f
                                              • Opcode Fuzzy Hash: 9154940369e27b06fe4fa1ed0137670f9ff65aec0dea4917036340006bb91a3c
                                              • Instruction Fuzzy Hash: 24110435600209ABCF10EF71C816FBF77A4AFC4714F10842EF642A7192EE799A019B65
                                              Function 0052FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ClearVariant
                                              • String ID:
                                              • API String ID: 1473721057-0
                                              • Opcode ID: 79370bf468745e06be4f829b9b4f3ef546ffdba0207d94041c122f6d521a1813
                                              • Instruction ID: cf40c88cc57bdb0eeb6abf054885fd7a7038667d937ec819d80fe99a955ad50d
                                              • Opcode Fuzzy Hash: 79370bf468745e06be4f829b9b4f3ef546ffdba0207d94041c122f6d521a1813
                                              • Instruction Fuzzy Hash: 052130B0908345DFDB24DF64C444B2ABBE1BF88304F05896CE98A47762C735E859CBA7
                                              Function 004F7BCC Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: 5ee3ecc9df7e979a056df97c299719b1eeec88577dfefa85402a631ec47f11a2
                                              • Instruction ID: 98be7d9b05b408577a72682d6fb43d957247e52b67753fbb25fcd090aca01249
                                              • Opcode Fuzzy Hash: 5ee3ecc9df7e979a056df97c299719b1eeec88577dfefa85402a631ec47f11a2
                                              • Instruction Fuzzy Hash: 8801F9311085099FD714AF28E902F7A77D9EF44354F10852FF64ACA2A1DE399881C744
                                              Function 00514863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                              Download Yara Rule
                                              APIs
                                              • __lock_file.LIBCMT ref: 005148A6
                                                • Part of subcall function 00518B28: __getptd_noexit.LIBCMT ref: 00518B28
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __getptd_noexit__lock_file
                                              • String ID:
                                              • API String ID: 2597487223-0
                                              • Opcode ID: ec94017e01fce5584d4c71242e09a62e1582d21bfa63eee521d5721a7847dc01
                                              • Instruction ID: 1180984c7cd4b9950e926e5976f86e2415e82e4b8972d99907019d39eb85630a
                                              • Opcode Fuzzy Hash: ec94017e01fce5584d4c71242e09a62e1582d21bfa63eee521d5721a7847dc01
                                              • Instruction Fuzzy Hash: 48F0AF3190060AFBFF21AFA4CC0A7EE3EA1BF81325F159514B4249A191CB7889D2DF51
                                              Function 004F4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNEL32(?,?,005B52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004F4E7E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: FreeLibrary
                                              • String ID:
                                              • API String ID: 3664257935-0
                                              • Opcode ID: 3795c4c7756aae8d779f205ff973fcd56ec56e00b344c89d543729461bff944c
                                              • Instruction ID: cb53135feeb701aa9bd37fc7f8e7ddc78096f34598c15a5a90699f199c9b5d78
                                              • Opcode Fuzzy Hash: 3795c4c7756aae8d779f205ff973fcd56ec56e00b344c89d543729461bff944c
                                              • Instruction Fuzzy Hash: 66F03071501715CFDB349F64E494823BBE1BF94325310893FE2E682610CB359884EF44
                                              Function 004F4750 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F4743,?,?,004F37AE,?), ref: 004F4770
                                                • Part of subcall function 004F7BCC: _memmove.LIBCMT ref: 004F7C06
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: FullNamePath_memmove
                                              • String ID:
                                              • API String ID: 486084662-0
                                              • Opcode ID: fa594bddc5620de6bfdf238d7d698073b4c7afb84e7e190e88ae506312e7540a
                                              • Instruction ID: 31262a0f1c8689d97ddcd5594b42d06333c4c54544a3d2d24a2e70f382f898c5
                                              • Opcode Fuzzy Hash: fa594bddc5620de6bfdf238d7d698073b4c7afb84e7e190e88ae506312e7540a
                                              • Instruction Fuzzy Hash: 43E0D83060821D56D610F6519C06FFB3BDCEF45794F0400B7FA0CD6385DE5CAC848699
                                              Function 00510791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005107B0
                                                • Part of subcall function 004F7BCC: _memmove.LIBCMT ref: 004F7C06
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: LongNamePath_memmove
                                              • String ID:
                                              • API String ID: 2514874351-0
                                              • Opcode ID: e3f58735264f2de14e50b11e4ba5eb9ab4d338d96a6bb6aab7fe0b873829449f
                                              • Instruction ID: 9d505328ab4dda5be4d8b3fed4dd3aa48b80bea1e9fa395d97d9f66530e923d4
                                              • Opcode Fuzzy Hash: e3f58735264f2de14e50b11e4ba5eb9ab4d338d96a6bb6aab7fe0b873829449f
                                              • Instruction Fuzzy Hash: E8E0CD3690412857C720D659AC09FFA77DDDFC97A0F0441B6FD0CD7255D964ACC086D4
                                              Function 00558E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __fread_nolock
                                              • String ID:
                                              • API String ID: 2638373210-0
                                              • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                              • Instruction ID: e8cd8f41a678a56efb146aff90701c87c5e02e88a8d1e2f7adcf50332318026f
                                              • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                              • Instruction Fuzzy Hash: 0DE092B0104B009FD7398A24D811BE377E5FB05305F04081DF6AA93241EB6278858759
                                              Function 017C2CE8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?), ref: 017C2CF3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1446052818.00000000017C2000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C2000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c2000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                              • Instruction ID: b794d8f52f3db868beb8724dac2fead0d7a63d1d2a0fe4b2e8e8a8e899e6ccf9
                                              • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                              • Instruction Fuzzy Hash: 69E0C230A0520CEBDB54CBBCCD08AADB3B8EB14731F20469CE907C36C2D5318A80D760
                                              Function 017C2CB8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?), ref: 017C2CC3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1446052818.00000000017C2000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C2000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c2000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                              • Instruction ID: de7d6c68f2b8ec20b1c9fb522010eb86e3b85fd8c2d0d0bd70971b077898db96
                                              • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                              • Instruction Fuzzy Hash: E8D0A73090520CEBCB20CFF89D049DEB3A8D705321F00475CFD15C3281D53199809750
                                              Function 0051525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __wfsopen
                                              • String ID:
                                              • API String ID: 197181222-0
                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                              • Instruction ID: 994e913d9deaec975b0e3deac11c730f35ee97a9d58851ed22eb208aca4e8059
                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                              • Instruction Fuzzy Hash: CEB0927A44020CB7DE012A92EC02A893F19AB91764F408020FB1C18162A677A6A49A89
                                              Function 017C46E8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(000001F4), ref: 017C46F9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1446052818.00000000017C2000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C2000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c2000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Sleep
                                              • String ID:
                                              • API String ID: 3472027048-0
                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                              • Instruction ID: 2eed4835adf12050fa146145b559a7fad7f346aa28db07a6c6ffb8641ac93026
                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                              • Instruction Fuzzy Hash: 1DE0E67494010DDFDB00DFB4D54969D7BB4EF04701F100165FD06D2281D6309D608A72

                                              Non-executed Functions

                                              Function 0057CABC Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 632windowkeyboardnativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                              • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0057CB37
                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0057CB95
                                              • GetWindowLongW.USER32(?,000000F0), ref: 0057CBD6
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0057CC00
                                              • SendMessageW.USER32 ref: 0057CC29
                                              • _wcsncpy.LIBCMT ref: 0057CC95
                                              • GetKeyState.USER32(00000011), ref: 0057CCB6
                                              • GetKeyState.USER32(00000009), ref: 0057CCC3
                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0057CCD9
                                              • GetKeyState.USER32(00000010), ref: 0057CCE3
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0057CD0C
                                              • SendMessageW.USER32 ref: 0057CD33
                                              • SendMessageW.USER32(?,00001030,?,0057B348), ref: 0057CE37
                                              • SetCapture.USER32(?), ref: 0057CE69
                                              • ClientToScreen.USER32(?,?), ref: 0057CECE
                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0057CEF5
                                              • ReleaseCapture.USER32 ref: 0057CF00
                                              • GetCursorPos.USER32(?), ref: 0057CF3A
                                              • ScreenToClient.USER32(?,?), ref: 0057CF47
                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0057CFA3
                                              • SendMessageW.USER32 ref: 0057CFD1
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0057D00E
                                              • SendMessageW.USER32 ref: 0057D03D
                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0057D05E
                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0057D06D
                                              • GetCursorPos.USER32(?), ref: 0057D08D
                                              • ScreenToClient.USER32(?,?), ref: 0057D09A
                                              • GetParent.USER32(?), ref: 0057D0BA
                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0057D123
                                              • SendMessageW.USER32 ref: 0057D154
                                              • ClientToScreen.USER32(?,?), ref: 0057D1B2
                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0057D1E2
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0057D20C
                                              • SendMessageW.USER32 ref: 0057D22F
                                              • ClientToScreen.USER32(?,?), ref: 0057D281
                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0057D2B5
                                                • Part of subcall function 004F25DB: GetWindowLongW.USER32(?,000000EB), ref: 004F25EC
                                              • GetWindowLongW.USER32(?,000000F0), ref: 0057D351
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                              • String ID: @GUI_DRAGID$F$pb[
                                              • API String ID: 302779176-4275205045
                                              • Opcode ID: d32375295b2ea46c5b785ca55cd19eec1e292ea849694fa652d987493b4baeb1
                                              • Instruction ID: 6e847fb99c766f0969c6c502984f0ba5a46af309abe8de8a6eb3c9e34d100274
                                              • Opcode Fuzzy Hash: d32375295b2ea46c5b785ca55cd19eec1e292ea849694fa652d987493b4baeb1
                                              • Instruction Fuzzy Hash: DA429A74204240AFD725CF64E848FAABFE5FF49310F548A1DF65E872A1D731A844EB52
                                              Function 00506F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memmove$_memset
                                              • String ID: ]Z$3cP$DEFINE$P\Z$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_P
                                              • API String ID: 1357608183-4263399106
                                              • Opcode ID: 7b7351abf1ec6913350dec5569733f5e76b312e26710194baeb4bf31df427e07
                                              • Instruction ID: 4ae9110a2e08159efa374d2c56271d6477e09c68c8cbfdacd0e02ad2c17352c4
                                              • Opcode Fuzzy Hash: 7b7351abf1ec6913350dec5569733f5e76b312e26710194baeb4bf31df427e07
                                              • Instruction Fuzzy Hash: 4693A375E00219DBDB24CF98C881BEDBBB1FF48314F24856AE955EB291E7709E81CB40
                                              Function 004F48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(00000000,?), ref: 004F48DF
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0052D665
                                              • IsIconic.USER32(?), ref: 0052D66E
                                              • ShowWindow.USER32(?,00000009), ref: 0052D67B
                                              • SetForegroundWindow.USER32(?), ref: 0052D685
                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0052D69B
                                              • GetCurrentThreadId.KERNEL32 ref: 0052D6A2
                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0052D6AE
                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0052D6BF
                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0052D6C7
                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 0052D6CF
                                              • SetForegroundWindow.USER32(?), ref: 0052D6D2
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0052D6E7
                                              • keybd_event.USER32(00000012,00000000), ref: 0052D6F2
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0052D6FC
                                              • keybd_event.USER32(00000012,00000000), ref: 0052D701
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0052D70A
                                              • keybd_event.USER32(00000012,00000000), ref: 0052D70F
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0052D719
                                              • keybd_event.USER32(00000012,00000000), ref: 0052D71E
                                              • SetForegroundWindow.USER32(?), ref: 0052D721
                                              • AttachThreadInput.USER32(?,?,00000000), ref: 0052D748
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 4125248594-2988720461
                                              • Opcode ID: b111dc3cb672be78f4db317def2c17f52b9d60ef50d991af15fce228ae82d1c7
                                              • Instruction ID: 7dcaba634ae77b306386d37967aa7176d0237ca902ff75dedbb8d1b49d752f52
                                              • Opcode Fuzzy Hash: b111dc3cb672be78f4db317def2c17f52b9d60ef50d991af15fce228ae82d1c7
                                              • Instruction Fuzzy Hash: F8315271A40328BAEB206F61AC89F7F7E6CFF55B50F144025FA08EA1D1C6B45941BBA1
                                              Function 00548310 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 005487E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0054882B
                                                • Part of subcall function 005487E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00548858
                                                • Part of subcall function 005487E1: GetLastError.KERNEL32 ref: 00548865
                                              • _memset.LIBCMT ref: 00548353
                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 005483A5
                                              • CloseHandle.KERNEL32(?), ref: 005483B6
                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005483CD
                                              • GetProcessWindowStation.USER32 ref: 005483E6
                                              • SetProcessWindowStation.USER32(00000000), ref: 005483F0
                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0054840A
                                                • Part of subcall function 005481CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00548309), ref: 005481E0
                                                • Part of subcall function 005481CB: CloseHandle.KERNEL32(?,?,00548309), ref: 005481F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                              • String ID: $default$winsta0
                                              • API String ID: 2063423040-1027155976
                                              • Opcode ID: c44a2cfa63de9daa0d7376e63cd6121bca25c725763b5d33adbbcbc0ef893d26
                                              • Instruction ID: 6f79a94b324b0def9ce561f73c5e4be3e6d45860ee672ecd56f636ba7d081930
                                              • Opcode Fuzzy Hash: c44a2cfa63de9daa0d7376e63cd6121bca25c725763b5d33adbbcbc0ef893d26
                                              • Instruction Fuzzy Hash: 9C812571900209BFDF11EFA4DC49AFE7FB9FF08708F144169F914A6261DB318A59AB60
                                              Function 0055C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 0055C78D
                                              • FindClose.KERNEL32(00000000), ref: 0055C7E1
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0055C806
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0055C81D
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0055C844
                                              • __swprintf.LIBCMT ref: 0055C890
                                              • __swprintf.LIBCMT ref: 0055C8D3
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                              • __swprintf.LIBCMT ref: 0055C927
                                                • Part of subcall function 00513698: __woutput_l.LIBCMT ref: 005136F1
                                              • __swprintf.LIBCMT ref: 0055C975
                                                • Part of subcall function 00513698: __flsbuf.LIBCMT ref: 00513713
                                                • Part of subcall function 00513698: __flsbuf.LIBCMT ref: 0051372B
                                              • __swprintf.LIBCMT ref: 0055C9C4
                                              • __swprintf.LIBCMT ref: 0055CA13
                                              • __swprintf.LIBCMT ref: 0055CA62
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                              • API String ID: 3953360268-2428617273
                                              • Opcode ID: 66c07aa3e72699567e76bcbccf6d1c4265a539d0c1b9c1caf09a1c7e13eb2075
                                              • Instruction ID: 6bdf15c47352c01ba537e47642d40d12b4fc3ccd8f27f47a6435a482bb4cdee8
                                              • Opcode Fuzzy Hash: 66c07aa3e72699567e76bcbccf6d1c4265a539d0c1b9c1caf09a1c7e13eb2075
                                              • Instruction Fuzzy Hash: F2A12DB1404309AFD704EBA5C895EBFBBECFF94704F40091EF68586191EA34DA48CB66
                                              Function 0055EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0055EFB6
                                              • _wcscmp.LIBCMT ref: 0055EFCB
                                              • _wcscmp.LIBCMT ref: 0055EFE2
                                              • GetFileAttributesW.KERNEL32(?), ref: 0055EFF4
                                              • SetFileAttributesW.KERNEL32(?,?), ref: 0055F00E
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0055F026
                                              • FindClose.KERNEL32(00000000), ref: 0055F031
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0055F04D
                                              • _wcscmp.LIBCMT ref: 0055F074
                                              • _wcscmp.LIBCMT ref: 0055F08B
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0055F09D
                                              • SetCurrentDirectoryW.KERNEL32(005A8920), ref: 0055F0BB
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0055F0C5
                                              • FindClose.KERNEL32(00000000), ref: 0055F0D2
                                              • FindClose.KERNEL32(00000000), ref: 0055F0E4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                              • String ID: *.*
                                              • API String ID: 1803514871-438819550
                                              • Opcode ID: 61281fa73fa73d3790ad0dd244f8747bcf0af178580c73729e025052a326a217
                                              • Instruction ID: 30c2738a4db8f93e46d408ff899fe0d9bfbec0a46e77aa263f5576e3d004964e
                                              • Opcode Fuzzy Hash: 61281fa73fa73d3790ad0dd244f8747bcf0af178580c73729e025052a326a217
                                              • Instruction Fuzzy Hash: C831F4365002196ADB14DBA0EC5CAEE7BACBF45321F040172E809D20E1EB30DA88EB51
                                              Function 00570857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00570953
                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0057F910,00000000,?,00000000,?,?), ref: 005709C1
                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00570A09
                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00570A92
                                              • RegCloseKey.ADVAPI32(?), ref: 00570DB2
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00570DBF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Close$ConnectCreateRegistryValue
                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                              • API String ID: 536824911-966354055
                                              • Opcode ID: a8fd6226161ae51982543f888259113b0665ebfd71ee744b04ccee2eededd885
                                              • Instruction ID: 162090eb2342744b27c9b85f7d09281b42abeead13e1c78779a44c9f025f17b1
                                              • Opcode Fuzzy Hash: a8fd6226161ae51982543f888259113b0665ebfd71ee744b04ccee2eededd885
                                              • Instruction Fuzzy Hash: 18027A756006019FCB14EF25D845E2ABBE5FF89324F04885DF98A9B3A2CB34EC45DB81
                                              Function 0057C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfilenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                              • DragQueryPoint.SHELL32(?,?), ref: 0057C627
                                                • Part of subcall function 0057AB37: ClientToScreen.USER32(?,?), ref: 0057AB60
                                                • Part of subcall function 0057AB37: GetWindowRect.USER32(?,?), ref: 0057ABD6
                                                • Part of subcall function 0057AB37: PtInRect.USER32(?,?,0057C014), ref: 0057ABE6
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0057C690
                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0057C69B
                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0057C6BE
                                              • _wcscat.LIBCMT ref: 0057C6EE
                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0057C705
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0057C71E
                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0057C735
                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0057C757
                                              • DragFinish.SHELL32(?), ref: 0057C75E
                                              • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0057C851
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb[
                                              • API String ID: 2166380349-1704122981
                                              • Opcode ID: d5d913f59ea5bf524c8212f9e63a8aac8acb437057594527d74effd1b7083eaa
                                              • Instruction ID: 9518971dd5b918bfc7cfab26dea73b05a796530687e85ffed335465a20d0a428
                                              • Opcode Fuzzy Hash: d5d913f59ea5bf524c8212f9e63a8aac8acb437057594527d74effd1b7083eaa
                                              • Instruction Fuzzy Hash: 06618B71108305AFC701EF64E885DAFBFE8FF99714F00092EF695921A1DB70AA49DB52
                                              Function 0055F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0055F113
                                              • _wcscmp.LIBCMT ref: 0055F128
                                              • _wcscmp.LIBCMT ref: 0055F13F
                                                • Part of subcall function 00554385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005543A0
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0055F16E
                                              • FindClose.KERNEL32(00000000), ref: 0055F179
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0055F195
                                              • _wcscmp.LIBCMT ref: 0055F1BC
                                              • _wcscmp.LIBCMT ref: 0055F1D3
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0055F1E5
                                              • SetCurrentDirectoryW.KERNEL32(005A8920), ref: 0055F203
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0055F20D
                                              • FindClose.KERNEL32(00000000), ref: 0055F21A
                                              • FindClose.KERNEL32(00000000), ref: 0055F22C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                              • String ID: *.*
                                              • API String ID: 1824444939-438819550
                                              • Opcode ID: 0f2b8700465e2a39ca65efcd561dc62ae499121982db790a082a2276295a8ad0
                                              • Instruction ID: 9108461ea9178663ff7081e870c69ff9d17fc3b5a2c35f8a7d96a3315789e8a0
                                              • Opcode Fuzzy Hash: 0f2b8700465e2a39ca65efcd561dc62ae499121982db790a082a2276295a8ad0
                                              • Instruction Fuzzy Hash: 7E31C97A5006196ADF10DBA4EC69EEE7BACBF45361F100176EC04E20A1EB30DE89DB54
                                              Function 0055A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0055A20F
                                              • __swprintf.LIBCMT ref: 0055A231
                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0055A26E
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0055A293
                                              • _memset.LIBCMT ref: 0055A2B2
                                              • _wcsncpy.LIBCMT ref: 0055A2EE
                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0055A323
                                              • CloseHandle.KERNEL32(00000000), ref: 0055A32E
                                              • RemoveDirectoryW.KERNEL32(?), ref: 0055A337
                                              • CloseHandle.KERNEL32(00000000), ref: 0055A341
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                              • String ID: :$\$\??\%s
                                              • API String ID: 2733774712-3457252023
                                              • Opcode ID: 0f3951ecc13ead1cd25697b29d46f7c1be16915c7cad3bf6b72b3960e6ceccce
                                              • Instruction ID: 9ef4a55423733df5caa32d084f70909d41dbb86237e99d575428f856000c562d
                                              • Opcode Fuzzy Hash: 0f3951ecc13ead1cd25697b29d46f7c1be16915c7cad3bf6b72b3960e6ceccce
                                              • Instruction Fuzzy Hash: DA31A27550410AABDB20DFA0DC49FEF3BBCBF89701F1041B6F908D6160EB7096889B25
                                              Function 0057C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0057C1FC
                                              • GetFocus.USER32 ref: 0057C20C
                                              • GetDlgCtrlID.USER32(00000000), ref: 0057C217
                                              • _memset.LIBCMT ref: 0057C342
                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0057C36D
                                              • GetMenuItemCount.USER32(?), ref: 0057C38D
                                              • GetMenuItemID.USER32(?,00000000), ref: 0057C3A0
                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0057C3D4
                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0057C41C
                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0057C454
                                              • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0057C489
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                              • String ID: 0
                                              • API String ID: 3616455698-4108050209
                                              • Opcode ID: 6f292e9bc57514cfe036ef2d1fbea136251db60036a936d0b5e9fd69fbd291c2
                                              • Instruction ID: 506091807396c321d02b132db3c1b3803804c1aa2e8533d8042ea5d4646f7c8e
                                              • Opcode Fuzzy Hash: 6f292e9bc57514cfe036ef2d1fbea136251db60036a936d0b5e9fd69fbd291c2
                                              • Instruction Fuzzy Hash: 5D819E70208301AFDB10DF24E894A7BBFE9FB88714F00892EF99997291D770D945EB52
                                              Function 005066E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 3cP$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_P
                                              • API String ID: 0-2955629382
                                              • Opcode ID: 14ce821765c8f64452366a58e22bde012c1c4db57a3f3610f82c2a7b82a34d89
                                              • Instruction ID: a76090f890489402561adef1c1c1dec1b220f76aa4e2d62ba48b7a0a41b91b1c
                                              • Opcode Fuzzy Hash: 14ce821765c8f64452366a58e22bde012c1c4db57a3f3610f82c2a7b82a34d89
                                              • Instruction Fuzzy Hash: 61726E75E00619DBDB24CF59C8807EEBBB5FF44314F14856AE849EB281EB709E81CB94
                                              Function 0055001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?), ref: 00550097
                                              • SetKeyboardState.USER32(?), ref: 00550102
                                              • GetAsyncKeyState.USER32(000000A0), ref: 00550122
                                              • GetKeyState.USER32(000000A0), ref: 00550139
                                              • GetAsyncKeyState.USER32(000000A1), ref: 00550168
                                              • GetKeyState.USER32(000000A1), ref: 00550179
                                              • GetAsyncKeyState.USER32(00000011), ref: 005501A5
                                              • GetKeyState.USER32(00000011), ref: 005501B3
                                              • GetAsyncKeyState.USER32(00000012), ref: 005501DC
                                              • GetKeyState.USER32(00000012), ref: 005501EA
                                              • GetAsyncKeyState.USER32(0000005B), ref: 00550213
                                              • GetKeyState.USER32(0000005B), ref: 00550221
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: State$Async$Keyboard
                                              • String ID:
                                              • API String ID: 541375521-0
                                              • Opcode ID: 6c7c8cc48da740b7b873c9d756f5c8bb8b5f5f89ffa6003214a5f442b64ea383
                                              • Instruction ID: e63e5c49a4d2c584d2a32afe88af3ae3c72d425c583843f265ad9bf7c3efe334
                                              • Opcode Fuzzy Hash: 6c7c8cc48da740b7b873c9d756f5c8bb8b5f5f89ffa6003214a5f442b64ea383
                                              • Instruction Fuzzy Hash: 24510F3090478929FB35DB6088787EABFB4AF01381F48559FCDC6565C3DA949B8CC762
                                              Function 005703DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00570E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0056FDAD,?,?), ref: 00570E31
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005704AC
                                                • Part of subcall function 004F9837: __itow.LIBCMT ref: 004F9862
                                                • Part of subcall function 004F9837: __swprintf.LIBCMT ref: 004F98AC
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0057054B
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005705E3
                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00570822
                                              • RegCloseKey.ADVAPI32(00000000), ref: 0057082F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                              • String ID:
                                              • API String ID: 1240663315-0
                                              • Opcode ID: ec9220b073684f3c6fd3ef1e54ebafd2e6dfb533f0446e6151e66e737716bce7
                                              • Instruction ID: cb8514f03da91d9cae2d1375ada9de70cf86a3d300fc241a450b49244b654730
                                              • Opcode Fuzzy Hash: ec9220b073684f3c6fd3ef1e54ebafd2e6dfb533f0446e6151e66e737716bce7
                                              • Instruction Fuzzy Hash: 45E15C31204204EFCB14DF25D895E6ABBE4FF89314B04C96DF94ADB2A1DA30ED05DB92
                                              Function 00564164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                              • String ID:
                                              • API String ID: 1737998785-0
                                              • Opcode ID: 86d693c53d6f99500d52f0ebb7cfb8d8268ed175d75277aacf42e0815a4c12ab
                                              • Instruction ID: c7a48b989765356abf72d482f5584e513bc462ab5b3c4b87687b2ccd1b05c71d
                                              • Opcode Fuzzy Hash: 86d693c53d6f99500d52f0ebb7cfb8d8268ed175d75277aacf42e0815a4c12ab
                                              • Instruction Fuzzy Hash: 4E21A1392002149FDB10AF24EC09B6D7BA8FF55754F10802AF94ADB2B1DB34AC45EF55
                                              Function 005537EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F4743,?,?,004F37AE,?), ref: 004F4770
                                                • Part of subcall function 00554A31: GetFileAttributesW.KERNEL32(?,0055370B), ref: 00554A32
                                              • FindFirstFileW.KERNEL32(?,?), ref: 005538A3
                                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0055394B
                                              • MoveFileW.KERNEL32(?,?), ref: 0055395E
                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0055397B
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0055399D
                                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 005539B9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                              • String ID: \*.*
                                              • API String ID: 4002782344-1173974218
                                              • Opcode ID: 2d4e7449913aa45373438b7c852df8f39409e865a8f9f058a1d89c6b6ec8029c
                                              • Instruction ID: 8253b197bcc9ab30eb571c9d1f0e33cd1717fea3f79e272c3c9c8da47a57faa7
                                              • Opcode Fuzzy Hash: 2d4e7449913aa45373438b7c852df8f39409e865a8f9f058a1d89c6b6ec8029c
                                              • Instruction Fuzzy Hash: CB51B07180514DAACF05EBA1D9A2CFDBB78AF14345F60006AE90AB7191EF646F0DCB64
                                              Function 0055F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0055F440
                                              • Sleep.KERNEL32(0000000A), ref: 0055F470
                                              • _wcscmp.LIBCMT ref: 0055F484
                                              • _wcscmp.LIBCMT ref: 0055F49F
                                              • FindNextFileW.KERNEL32(?,?), ref: 0055F53D
                                              • FindClose.KERNEL32(00000000), ref: 0055F553
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                              • String ID: *.*
                                              • API String ID: 713712311-438819550
                                              • Opcode ID: 5c515b2e6f975ad8c506041bed2d71b600dbde78d6a43318a578af6dc4e89373
                                              • Instruction ID: 31697a18505e1d44caba4bf529362bed49bc21a9e0708181942ffe95357da3aa
                                              • Opcode Fuzzy Hash: 5c515b2e6f975ad8c506041bed2d71b600dbde78d6a43318a578af6dc4e89373
                                              • Instruction Fuzzy Hash: C7418C7180020AAFDF14DF68DC59AEEBBB4FF05315F10446AE919A3191EB349E88DB50
                                              Function 0057D43E Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                              • GetSystemMetrics.USER32(0000000F), ref: 0057D47C
                                              • GetSystemMetrics.USER32(0000000F), ref: 0057D49C
                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0057D6D7
                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0057D6F5
                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0057D716
                                              • ShowWindow.USER32(00000003,00000000), ref: 0057D735
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0057D75A
                                              • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0057D77D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                              • String ID:
                                              • API String ID: 830902736-0
                                              • Opcode ID: f5bafd0be381f9990bc865f6d05fcf417b81cb542beb4523816b1a772cf87cbf
                                              • Instruction ID: e41c5eb8fd88dbd08f54360f176cba02d0b175f71edc628be027bcc75b85039e
                                              • Opcode Fuzzy Hash: f5bafd0be381f9990bc865f6d05fcf417b81cb542beb4523816b1a772cf87cbf
                                              • Instruction Fuzzy Hash: 7DB19971600229ABDF18CF68D985BA97BB1FF44701F08C069ED4C9B295D734A994EBA0
                                              Function 00503030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __itow__swprintf
                                              • String ID: 3cP$_P
                                              • API String ID: 674341424-1684181656
                                              • Opcode ID: 5a3fed1bcd9e7519f3d5b0b779ac8c42250d86228325ac4bc28bc3d9bf0cb243
                                              • Instruction ID: 78731eae2e597789d560aa56188a473b7b8c0efd7046c3fcfc2d81220d5267b5
                                              • Opcode Fuzzy Hash: 5a3fed1bcd9e7519f3d5b0b779ac8c42250d86228325ac4bc28bc3d9bf0cb243
                                              • Instruction Fuzzy Hash: 24227A716083019FDB24DF14C885BAEBBE8BF84714F00891DF99A9B291DB75ED44CB92
                                              Function 00505760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: 6e5ce00ebe3f9e3a78e584219d70de154fb3127c7c7f70c380fc2a6a32615acb
                                              • Instruction ID: 9ef7b23955f7680f534755af7c7c26b4d62865344343ac26136cccf011cfd800
                                              • Opcode Fuzzy Hash: 6e5ce00ebe3f9e3a78e584219d70de154fb3127c7c7f70c380fc2a6a32615acb
                                              • Instruction Fuzzy Hash: E612AC70A00609DFDF04DFA5D985AEEBBB5FF48304F204929E906E7290EB35AD54CB54
                                              Function 005551BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 005487E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0054882B
                                                • Part of subcall function 005487E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00548858
                                                • Part of subcall function 005487E1: GetLastError.KERNEL32 ref: 00548865
                                              • ExitWindowsEx.USER32(?,00000000), ref: 005551F9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                              • String ID: $@$SeShutdownPrivilege
                                              • API String ID: 2234035333-194228
                                              • Opcode ID: 6507905bbe3de3fd8d5065fae9983089a33b630cedc1c32bc65ee48a1bb38cbc
                                              • Instruction ID: 55bb44becd7094d497ba069999291e2dc989e23badd4cd151c74edac34c7776c
                                              • Opcode Fuzzy Hash: 6507905bbe3de3fd8d5065fae9983089a33b630cedc1c32bc65ee48a1bb38cbc
                                              • Instruction Fuzzy Hash: 1701FC396916115BE72852A4AC7EFBE7E58F705342F500823FD07D20D2F9511C089790
                                              Function 00566283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WS2_32(00000002,00000001,00000006), ref: 005662DC
                                              • WSAGetLastError.WS2_32(00000000), ref: 005662EB
                                              • bind.WS2_32(00000000,?,00000010), ref: 00566307
                                              • listen.WS2_32(00000000,00000005), ref: 00566316
                                              • WSAGetLastError.WS2_32(00000000), ref: 00566330
                                              • closesocket.WS2_32(00000000), ref: 00566344
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                              • String ID:
                                              • API String ID: 1279440585-0
                                              • Opcode ID: 5338b975ea9807d23dc74272da5623ee6ca9e4c10e9af2daeeaa14d34f79675f
                                              • Instruction ID: 5710fc7d487b3e28df17217e2c42fc873a84e54ca981991a988074faef05b577
                                              • Opcode Fuzzy Hash: 5338b975ea9807d23dc74272da5623ee6ca9e4c10e9af2daeeaa14d34f79675f
                                              • Instruction Fuzzy Hash: C521DD34600204AFCB10EF64D849B7EBBA9FF49724F148669E91AA73D1CB70AC45EB51
                                              Function 00505520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00510DB6: std::exception::exception.LIBCMT ref: 00510DEC
                                                • Part of subcall function 00510DB6: __CxxThrowException@8.LIBCMT ref: 00510E01
                                              • _memmove.LIBCMT ref: 00540258
                                              • _memmove.LIBCMT ref: 0054036D
                                              • _memmove.LIBCMT ref: 00540414
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memmove$Exception@8Throwstd::exception::exception
                                              • String ID:
                                              • API String ID: 1300846289-0
                                              • Opcode ID: 3d7042ae1f94f2ca725b1643e1115727494e7a3764cfc484af693280c9ec0be1
                                              • Instruction ID: 77907f0dce75a147d914d296764631e51b3e8f0527db3b1a4e95c3b8877ba4d7
                                              • Opcode Fuzzy Hash: 3d7042ae1f94f2ca725b1643e1115727494e7a3764cfc484af693280c9ec0be1
                                              • Instruction Fuzzy Hash: F902DEB0A00209DBDF04DF64D885ABEBFB5FF88304F608469E906DB295EB75D950CB90
                                              Function 004F1287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                              • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 004F19FA
                                              • GetSysColor.USER32(0000000F), ref: 004F1A4E
                                              • SetBkColor.GDI32(?,00000000), ref: 004F1A61
                                                • Part of subcall function 004F1290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 004F12D8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ColorDialogNtdllProc_$LongWindow
                                              • String ID:
                                              • API String ID: 591255283-0
                                              • Opcode ID: e16adf8c60fe4816bfd0856415f1ace8162cdad7262bb46dc7b89a61f5cf375c
                                              • Instruction ID: 5023feceae74edbb9e943ab39b1ccff48c33ddec1ec46aba801faac719182e87
                                              • Opcode Fuzzy Hash: e16adf8c60fe4816bfd0856415f1ace8162cdad7262bb46dc7b89a61f5cf375c
                                              • Instruction Fuzzy Hash: 9BA16C7150255DFAE628AB29AC48E7F3E5CFF42345F14021BF312D11F2DA199D42E2BA
                                              Function 00566747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00567D8B: inet_addr.WS2_32(00000000), ref: 00567DB6
                                              • socket.WS2_32(00000002,00000002,00000011), ref: 0056679E
                                              • WSAGetLastError.WS2_32(00000000), ref: 005667C7
                                              • bind.WS2_32(00000000,?,00000010), ref: 00566800
                                              • WSAGetLastError.WS2_32(00000000), ref: 0056680D
                                              • closesocket.WS2_32(00000000), ref: 00566821
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                              • String ID:
                                              • API String ID: 99427753-0
                                              • Opcode ID: 1f02be4badb57344e8b81c19c170877aabe0a11b45f0fc9c43974fa3bee30876
                                              • Instruction ID: 3ce0169a2529f4358e10c7faf049aeb8e9c34129af42696584cb596276d7e6b8
                                              • Opcode Fuzzy Hash: 1f02be4badb57344e8b81c19c170877aabe0a11b45f0fc9c43974fa3bee30876
                                              • Instruction Fuzzy Hash: 6741D375A00208AFDB10BF258C86F7E77E8EF45758F04845DFA19AB3C2CA749D019B95
                                              Function 00575376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                              • String ID:
                                              • API String ID: 292994002-0
                                              • Opcode ID: eb9dbabd13cf2328321197228fb1fd2201c03e1d53857b28e8ad987432114f5c
                                              • Instruction ID: 17414feca5af08f0f419584c01b5d19757e17eb4eee8d655d70dd047fe65bd17
                                              • Opcode Fuzzy Hash: eb9dbabd13cf2328321197228fb1fd2201c03e1d53857b28e8ad987432114f5c
                                              • Instruction Fuzzy Hash: 0311E2313009156BDB206F26EC44A6A7F99FF853A0B408839F80ED7251EBB49C41ABA4
                                              Function 005480A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005480C0
                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005480CA
                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005480D9
                                              • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 005480E0
                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005480F6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: HeapInformationToken$AllocateErrorLastProcess
                                              • String ID:
                                              • API String ID: 47921759-0
                                              • Opcode ID: 989dc3afa070c747a6b23b26b1506e3eae0b43130ebde826e2d5ece3be3750fa
                                              • Instruction ID: c901823f72e706af669ffb46634de0aec2170ab5cfe175bb6b1240d1edd071f5
                                              • Opcode Fuzzy Hash: 989dc3afa070c747a6b23b26b1506e3eae0b43130ebde826e2d5ece3be3750fa
                                              • Instruction Fuzzy Hash: F8F04F31240204AFEB105FA5EC8DEBB3FACFF4A759F400026F949C6150CA619C85EB60
                                              Function 004FE6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Dd[$Dd[$Dd[$Dd[$Variable must be of type 'Object'.
                                              • API String ID: 0-3728478237
                                              • Opcode ID: 83ab4500d02f8354d94b2e254cfe446aa9564e2f1ccff4b1041a73e2d3c37f9e
                                              • Instruction ID: 123df1f65535eb90911299fa43232fe086e79f04b8ad7f554f5da7c81c90d647
                                              • Opcode Fuzzy Hash: 83ab4500d02f8354d94b2e254cfe446aa9564e2f1ccff4b1041a73e2d3c37f9e
                                              • Instruction Fuzzy Hash: D8A2C174A00209CFCB24CF59C480ABEBBB1FF58315F24856AEA059B361D778ED46CB95
                                              Function 0055C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 0055C432
                                              • CoCreateInstance.COMBASE(00582D6C,00000000,00000001,00582BDC,?), ref: 0055C44A
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                              • CoUninitialize.COMBASE ref: 0055C6B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                              • String ID: .lnk
                                              • API String ID: 2683427295-24824748
                                              • Opcode ID: db41f8c6195ab8dd8b7bd869b4a86deae26c0956ed93f554de3db829a57f584d
                                              • Instruction ID: 78f93af8eeee2ea19728fd3c5a310cc33103629832b73fb415ab119fc9e2e85d
                                              • Opcode Fuzzy Hash: db41f8c6195ab8dd8b7bd869b4a86deae26c0956ed93f554de3db829a57f584d
                                              • Instruction Fuzzy Hash: 37A139B1104209AFD700EF64C881EBBB7A8FF85358F00491EF6559B1A2DB75AE09CB56
                                              Function 0056EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 0056EE3D
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0056EE4B
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                              • Process32NextW.KERNEL32(00000000,?), ref: 0056EF0B
                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0056EF1A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                              • String ID:
                                              • API String ID: 2576544623-0
                                              • Opcode ID: b3fe797206a6e5570c57a37f6161fe798331851594eb96ff692f7cfe9906145a
                                              • Instruction ID: f50044046e5c760a47e5b652a11465874a4210594970eeac7951d1d568670dd0
                                              • Opcode Fuzzy Hash: b3fe797206a6e5570c57a37f6161fe798331851594eb96ff692f7cfe9906145a
                                              • Instruction Fuzzy Hash: 1A51AE71104304AFD310EF21DC86E6BBBE8FF94714F00482EF695972A1EB74A908CB96
                                              Function 0057C498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                              • GetCursorPos.USER32(?), ref: 0057C4D2
                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0052B9AB,?,?,?,?,?), ref: 0057C4E7
                                              • GetCursorPos.USER32(?), ref: 0057C534
                                              • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0052B9AB,?,?,?), ref: 0057C56E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                              • String ID:
                                              • API String ID: 1423138444-0
                                              • Opcode ID: e78fd6a1379abb53ec68a90d94a78ceca26a022f04ac18b00ebe8eed2dce50b1
                                              • Instruction ID: 52639487c95a4db4e58bcc45408b670fbb45fa35de4bfec0ffb12c9aebcbf750
                                              • Opcode Fuzzy Hash: e78fd6a1379abb53ec68a90d94a78ceca26a022f04ac18b00ebe8eed2dce50b1
                                              • Instruction Fuzzy Hash: 00317135600058AFCB15CF59E898EEA7FB6FB09310F548169F9098B261C732AD50FBA4
                                              Function 004F1290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                              • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 004F12D8
                                              • GetClientRect.USER32(?,?), ref: 0052B5FB
                                              • GetCursorPos.USER32(?), ref: 0052B605
                                              • ScreenToClient.USER32(?,?), ref: 0052B610
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                              • String ID:
                                              • API String ID: 1010295502-0
                                              • Opcode ID: dc2f98fb4063abae25d360eb9be16f504d9c6a66897002bdf61b9d758500e4b2
                                              • Instruction ID: 7d0bf7baa3834d58e4a32dfe85d4a9255aab8c4af0a6ae688c9b75c0d1184f2c
                                              • Opcode Fuzzy Hash: dc2f98fb4063abae25d360eb9be16f504d9c6a66897002bdf61b9d758500e4b2
                                              • Instruction Fuzzy Hash: B0113D3560005DEFCB00DF94D8859FE77B8FB15310F510496FA01E7151D734BA55ABA9
                                              Function 0054E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0054E628
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: lstrlen
                                              • String ID: ($|
                                              • API String ID: 1659193697-1631851259
                                              • Opcode ID: c29e3e7a5e9958d6565aeaad5089e06a3cd183adb651c6363a84f205673668be
                                              • Instruction ID: 1f2145df059f4651b58a6a0fc5038a949060169004c2ff3e3cb488517228196b
                                              • Opcode Fuzzy Hash: c29e3e7a5e9958d6565aeaad5089e06a3cd183adb651c6363a84f205673668be
                                              • Instruction Fuzzy Hash: 02323675A007059FD728CF19D4859AABBF0FF48324B15C56EE89ADB3A1D770E981CB40
                                              Function 005622EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0056180A,00000000), ref: 005623E1
                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00562418
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Internet$AvailableDataFileQueryRead
                                              • String ID:
                                              • API String ID: 599397726-0
                                              • Opcode ID: 7ea2d26a79f2718f30e0abf2e392ba3316e7d23467930b8a9b35eb08a87bd018
                                              • Instruction ID: a56704a3e74a82fdf6937e1379407d67132c3be34faee21fad2c84a2f4a7f702
                                              • Opcode Fuzzy Hash: 7ea2d26a79f2718f30e0abf2e392ba3316e7d23467930b8a9b35eb08a87bd018
                                              • Instruction Fuzzy Hash: 6D41B271A04A09BFEF10DE95DC85FBB7FACFB80315F10446AF605A7240EB759E81A660
                                              Function 0055B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 0055B343
                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0055B39D
                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0055B3EA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ErrorMode$DiskFreeSpace
                                              • String ID:
                                              • API String ID: 1682464887-0
                                              • Opcode ID: 4af7384acb43ba6811f833232a05c01394d313bd0f093e17ba1974000e102dba
                                              • Instruction ID: a0d8213161cad1f7a6d2ea48e232ce43f60a2b4e623b957e26a55c835f5cf92d
                                              • Opcode Fuzzy Hash: 4af7384acb43ba6811f833232a05c01394d313bd0f093e17ba1974000e102dba
                                              • Instruction Fuzzy Hash: DF219035A00108EFCB00EFA5D884EEDBBB8FF49314F1480AAE905AB351CB319959DF50
                                              Function 005487E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00510DB6: std::exception::exception.LIBCMT ref: 00510DEC
                                                • Part of subcall function 00510DB6: __CxxThrowException@8.LIBCMT ref: 00510E01
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0054882B
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00548858
                                              • GetLastError.KERNEL32 ref: 00548865
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                              • String ID:
                                              • API String ID: 1922334811-0
                                              • Opcode ID: ce1d893356153917192b3e6990ca6af05a78c24dca0fa78370335774ac26117c
                                              • Instruction ID: 8e6d9c5d09189508c70ce327fc2c69c2cc9e0cd206c451481ae90e514684e2e2
                                              • Opcode Fuzzy Hash: ce1d893356153917192b3e6990ca6af05a78c24dca0fa78370335774ac26117c
                                              • Instruction Fuzzy Hash: D21160B1414205AFE718DF94EC89D7BBBA8FB45714B10852EE45697241EA70BC849B60
                                              Function 0054874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00548774
                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0054878B
                                              • FreeSid.ADVAPI32(?), ref: 0054879B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                              • String ID:
                                              • API String ID: 3429775523-0
                                              • Opcode ID: 61ee71e6b0c9aac85850f89a7605ac72197466f1060e6d6ef6798203d58e3d55
                                              • Instruction ID: 22fd163adb208702e2f31870b5402d02e315c903a1aa47dfb89ae03858f5be7c
                                              • Opcode Fuzzy Hash: 61ee71e6b0c9aac85850f89a7605ac72197466f1060e6d6ef6798203d58e3d55
                                              • Instruction Fuzzy Hash: C8F03C75951208BBDB00DFE49C89AADBBB8EF08201F1044A9A506E2281D6715A489B50
                                              Function 00558889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • __time64.LIBCMT ref: 0055889B
                                                • Part of subcall function 0051520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00558F6E,00000000,?,?,?,?,0055911F,00000000,?), ref: 00515213
                                                • Part of subcall function 0051520A: __aulldiv.LIBCMT ref: 00515233
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Time$FileSystem__aulldiv__time64
                                              • String ID: 0e[
                                              • API String ID: 2893107130-1058614044
                                              • Opcode ID: abbdb681f3f65f58db4724eca2e035f6087152ab8aaf3f224abf5ae30a2f45e6
                                              • Instruction ID: 11dc1bc6f1c9da80a76e66d21bdf82b6e2c739ab4edefbbe2f37691358eea1c2
                                              • Opcode Fuzzy Hash: abbdb681f3f65f58db4724eca2e035f6087152ab8aaf3f224abf5ae30a2f45e6
                                              • Instruction Fuzzy Hash: 9C21E432635610CBC329CF29D851A62B7E5EFA4311B688F6CD4F6CB2C0CA34B909DB54
                                              Function 004F16DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                                • Part of subcall function 004F25DB: GetWindowLongW.USER32(?,000000EB), ref: 004F25EC
                                              • GetParent.USER32(?), ref: 0052B7BA
                                              • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,004F19B3,?,?,?,00000006,?), ref: 0052B834
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: LongWindow$DialogNtdllParentProc_
                                              • String ID:
                                              • API String ID: 314495775-0
                                              • Opcode ID: 3fdab48480b027ae1ea6895de4ea3556ce7e48d522d75e5e2af61d1b104307e3
                                              • Instruction ID: d74a34e0424c0d66a3e3551f3d072265655f0778854f2d08f33564efe6314624
                                              • Opcode Fuzzy Hash: 3fdab48480b027ae1ea6895de4ea3556ce7e48d522d75e5e2af61d1b104307e3
                                              • Instruction Fuzzy Hash: A621E334204118EFDB14AB28D884EBA3BD6EF0A320F580265F61D4B3F2C7316D41DB54
                                              Function 0055C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 0055C6FB
                                              • FindClose.KERNEL32(00000000), ref: 0055C72B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileFirst
                                              • String ID:
                                              • API String ID: 2295610775-0
                                              • Opcode ID: 4dde2018124504c540a36dafe81cf9e0a00f33a9199ab91eaa43c14117b19992
                                              • Instruction ID: 6e6b80a53c909886db62718e6690380a309b34db445577b59ae6da4374a98d1a
                                              • Opcode Fuzzy Hash: 4dde2018124504c540a36dafe81cf9e0a00f33a9199ab91eaa43c14117b19992
                                              • Instruction Fuzzy Hash: 8D11A5716106049FDB10EF29D845A6AFBE4FF85365F00851EF9A9C7291DB34AC05CF81
                                              Function 0057C57D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                              • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0052B93A,?,?,?), ref: 0057C5F1
                                                • Part of subcall function 004F25DB: GetWindowLongW.USER32(?,000000EB), ref: 004F25EC
                                              • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0057C5D7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: LongWindow$DialogMessageNtdllProc_Send
                                              • String ID:
                                              • API String ID: 1273190321-0
                                              • Opcode ID: dce09f6d0a4e1df35e0c6369e83e6ea7b299d13ec7fabaf93b04a2d8f06cda30
                                              • Instruction ID: e95cacb659c0d3555e136b30e1209dca502c9ae050387fb065419430cf2750a6
                                              • Opcode Fuzzy Hash: dce09f6d0a4e1df35e0c6369e83e6ea7b299d13ec7fabaf93b04a2d8f06cda30
                                              • Instruction Fuzzy Hash: 5C01D831200214ABCB259F14EC94F6A3FA6FF95364F14452DFA491B2E1CB72B845FB50
                                              Function 0057C93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ClientToScreen.USER32(?,?), ref: 0057C961
                                              • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0052BA16,?,?,?,?,?), ref: 0057C98A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ClientDialogNtdllProc_Screen
                                              • String ID:
                                              • API String ID: 3420055661-0
                                              • Opcode ID: 95e9d98840c1395d640d669d10bd994b4846a875c85eac42cd4af858ab77d08b
                                              • Instruction ID: cc623d29fd98a456b97ff3e5d0f8e7bef374aef4d37789c1d828066cd098a54b
                                              • Opcode Fuzzy Hash: 95e9d98840c1395d640d669d10bd994b4846a875c85eac42cd4af858ab77d08b
                                              • Instruction Fuzzy Hash: 07F0F472400218BFEB058F85EC09AAE7BB9FB48311F10416AF905A2161D3716A64EBA4
                                              Function 0055A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00569468,?,0057FB84,?), ref: 0055A097
                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00569468,?,0057FB84,?), ref: 0055A0A9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ErrorFormatLastMessage
                                              • String ID:
                                              • API String ID: 3479602957-0
                                              • Opcode ID: c6cfc377fe5609786902ebe2a36cd89d8c6e622ebea71a5c86ca75441f84a10c
                                              • Instruction ID: 3390c77df421b065a9ddc50b49d020ad3071482c51e16ff6c40f361b5bc47a64
                                              • Opcode Fuzzy Hash: c6cfc377fe5609786902ebe2a36cd89d8c6e622ebea71a5c86ca75441f84a10c
                                              • Instruction Fuzzy Hash: 9BF0823511522DABDB219FA4EC48FFA776CBF09361F004266F909D6191D6309944DBA1
                                              Function 0057CA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongW.USER32(?,000000EC), ref: 0057CA84
                                              • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0052B995,?,?,?,?), ref: 0057CAB2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: f1d02aeb7f7419cc94e8dc41970195fa273f2ec6d4f92d547375e3a11044555c
                                              • Instruction ID: a6cb8233625b6825fc8d590144f26ec83137fac00c11cbecbbd7c151f1696211
                                              • Opcode Fuzzy Hash: f1d02aeb7f7419cc94e8dc41970195fa273f2ec6d4f92d547375e3a11044555c
                                              • Instruction Fuzzy Hash: 5DE04F70104218BFEB14DF19EC0AFBA3F54EB14751F408519F95ADA1E1C6709890B760
                                              Function 005481CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00548309), ref: 005481E0
                                              • CloseHandle.KERNEL32(?,?,00548309), ref: 005481F2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AdjustCloseHandlePrivilegesToken
                                              • String ID:
                                              • API String ID: 81990902-0
                                              • Opcode ID: 53074cd3d77e90b3410007f072219fc979e5b019da5c6cd6d9ba88cda7f1e5b9
                                              • Instruction ID: 1fa029d91be3c09327e1137bdb4160c4a26ea2899dad60900a5d751377636eb8
                                              • Opcode Fuzzy Hash: 53074cd3d77e90b3410007f072219fc979e5b019da5c6cd6d9ba88cda7f1e5b9
                                              • Instruction Fuzzy Hash: 42E0B672010611AEE7256B61FC09DB77BAEFF44315714992DB8AA84470DB62ACE1EB10
                                              Function 0051A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,00584178,00518D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 0051A15A
                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0051A163
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: 8fab2de5ae6bc35f2a325b0e388f76c303b94ce241d9f42e2b3a551d94647501
                                              • Instruction ID: bbcdf975888404d180a055a197a5acda3051bbeba439ad35ff756a444cfc4b6d
                                              • Opcode Fuzzy Hash: 8fab2de5ae6bc35f2a325b0e388f76c303b94ce241d9f42e2b3a551d94647501
                                              • Instruction Fuzzy Hash: 8BB09231054208ABCA00AB91FC0DB883F68EB54AAAF404420F60D84060CB625494BB91
                                              Function 0051F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 21064776f27829291c8780c7cf8ad007a4f11bf427dc3cf1e5f20c5b2b8ca9db
                                              • Instruction ID: 5f11cac53d58fa0e48aae67a2fc17f90f77d6b51f6e5296eba39b86eb4bd5d8c
                                              • Opcode Fuzzy Hash: 21064776f27829291c8780c7cf8ad007a4f11bf427dc3cf1e5f20c5b2b8ca9db
                                              • Instruction Fuzzy Hash: 0232F131D29F054DE7239634D822335A649AFB73D5F25E737EC2AB59A6EB28C4C35200
                                              Function 0052242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3fc4d40aa75f6110c88c1d5d4e9e41f0486444194a2300c59d45ff31451d00ea
                                              • Instruction ID: a5f5ab364a1c8fcef8e683c4d45690b17eea9240e8ce219c9cdfc9c024d2824b
                                              • Opcode Fuzzy Hash: 3fc4d40aa75f6110c88c1d5d4e9e41f0486444194a2300c59d45ff31451d00ea
                                              • Instruction Fuzzy Hash: 4BB11030E2AF504DE72396388831336BA5CAFBB2C5F51E71BFC2674D62EB2185875241
                                              Function 0057D78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                              • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 0057D838
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 22ed4bd34ee0c25c404ca4f38e021475503ff1a076405beed3b93d637ec7b96c
                                              • Instruction ID: 04e20b45b5a962b263134235f58f2b6409f55f8a23b3cf8e3039341dba48a6cb
                                              • Opcode Fuzzy Hash: 22ed4bd34ee0c25c404ca4f38e021475503ff1a076405beed3b93d637ec7b96c
                                              • Instruction Fuzzy Hash: 6811E634204215AAEB2A5A1CEC4AF7A3F34FB41720F24C715F9195A5D2CA60AD00B3B5
                                              Function 0057D3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F25DB: GetWindowLongW.USER32(?,000000EB), ref: 004F25EC
                                              • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0052B952,?,?,?,?,00000000,?), ref: 0057D432
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 10aae9ea7e18cb06babb8243d3e69252755a9cdad9e477fe10cb7e79804f90f9
                                              • Instruction ID: 29f7c029baef32dd28f16572518716dbfd082a090bfe27a5321a9af428ee8d46
                                              • Opcode Fuzzy Hash: 10aae9ea7e18cb06babb8243d3e69252755a9cdad9e477fe10cb7e79804f90f9
                                              • Instruction Fuzzy Hash: 67019231600114ABDF149E25E849BA93FB2FF46325F488165F95E5B191C371BC51A7B0
                                              Function 004F189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                              • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,004F1B04,?,?,?,?,?), ref: 004F18E2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: b56a61652c6072dc258a7c928413d6cc572345dd7efdac11db15b37e2c38e514
                                              • Instruction ID: d98f9dc77f25f2e96e9d34a269ef8f30797b83c76fe9d53cacc1adedb034fb26
                                              • Opcode Fuzzy Hash: b56a61652c6072dc258a7c928413d6cc572345dd7efdac11db15b37e2c38e514
                                              • Instruction Fuzzy Hash: 8AF0BE30200218DFDB08EF08D891A763BE2FB24390F60422AFA524B3F1DB31E854EB50
                                              Function 0057C8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0057C8FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: DialogNtdllProc_
                                              • String ID:
                                              • API String ID: 3239928679-0
                                              • Opcode ID: f6149a9de0fbb3fb2346a669ddebb2303706a641e5db81f744f5289fb2b0f052
                                              • Instruction ID: b1078b9232768eb3c50db1945db4d91685657cc47636ddcc57002da73dffc17a
                                              • Opcode Fuzzy Hash: f6149a9de0fbb3fb2346a669ddebb2303706a641e5db81f744f5289fb2b0f052
                                              • Instruction Fuzzy Hash: A4F06D31200255AFDB22DF58EC49FC63F95EB19320F548018BA15672E2CB707820E7A0
                                              Function 00554C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00554C76
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: mouse_event
                                              • String ID:
                                              • API String ID: 2434400541-0
                                              • Opcode ID: 63c53746d7df963625d11b4979c651a7a154186e78892b0918688593eaf160d8
                                              • Instruction ID: e78eada64a722db161adf355ab428533727ede5d55fc77a51654465eb0910f96
                                              • Opcode Fuzzy Hash: 63c53746d7df963625d11b4979c651a7a154186e78892b0918688593eaf160d8
                                              • Instruction Fuzzy Hash: 0AD05EB012220939EE2847689D7FF7A1909F3C179BF84854B7A42850C0E8D05CCCBC34
                                              Function 005487B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00548389), ref: 005487D1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: LogonUser
                                              • String ID:
                                              • API String ID: 1244722697-0
                                              • Opcode ID: 27a213345a7363558ee18602473c40b594d5d49db69207fc3ca10b01efe7fb87
                                              • Instruction ID: 901f2e78f7644429c83983b156596b8cfb9208d07da616d6bcce66afbf3e2f01
                                              • Opcode Fuzzy Hash: 27a213345a7363558ee18602473c40b594d5d49db69207fc3ca10b01efe7fb87
                                              • Instruction Fuzzy Hash: F1D05E3226450EABEF018EA4EC05EAE3B69EB04B01F408111FE16C61A1C775D835AB60
                                              Function 0057C909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0052B9BC,?,?,?,?,?,?), ref: 0057C934
                                                • Part of subcall function 0057B635: _memset.LIBCMT ref: 0057B644
                                                • Part of subcall function 0057B635: _memset.LIBCMT ref: 0057B653
                                                • Part of subcall function 0057B635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005B6F20,005B6F64), ref: 0057B682
                                                • Part of subcall function 0057B635: CloseHandle.KERNEL32 ref: 0057B694
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                              • String ID:
                                              • API String ID: 2364484715-0
                                              • Opcode ID: 86643c1826624b0bbd599e129bcda806a5ed039b38e055acdda6b79d67778d45
                                              • Instruction ID: dae44f491e54a257d67a5db3129d7da0b93e642e4b79973e3ad6b912d6a0b0ef
                                              • Opcode Fuzzy Hash: 86643c1826624b0bbd599e129bcda806a5ed039b38e055acdda6b79d67778d45
                                              • Instruction Fuzzy Hash: 6FE09235110209EFCB41AF44ED55E953BA5FB1C715F018155FA0A572B2C731A960FF50
                                              Function 004F167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                              • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,004F1AEE,?,?,?), ref: 004F16AB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 239e7f090c03e073e2311c3f1e025b8be8c5c80d028c29b1abe729fb04835cd5
                                              • Instruction ID: 8d3b48c37078ff03b95620b0a65dfadabedb462796ea2cef86b33af662df5847
                                              • Opcode Fuzzy Hash: 239e7f090c03e073e2311c3f1e025b8be8c5c80d028c29b1abe729fb04835cd5
                                              • Instruction Fuzzy Hash: B6E0EC35200208FBCF0AAF91DC51F643B26FB59754F608419FA455A2A2CA76B521EB54
                                              Function 0057C860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL ref: 0057C885
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: DialogNtdllProc_
                                              • String ID:
                                              • API String ID: 3239928679-0
                                              • Opcode ID: a708453c56b276c667d069ab2cbf63f1894e491a1f1ca7b948e2d730bcd8b9dd
                                              • Instruction ID: 2ef1bd2ea2ef0dc2ba89fb7449e7ee7c36fa72965f4879dcaf2c1ad6e5b0ad0b
                                              • Opcode Fuzzy Hash: a708453c56b276c667d069ab2cbf63f1894e491a1f1ca7b948e2d730bcd8b9dd
                                              • Instruction Fuzzy Hash: D1E0E235204208EFCB01DF88E885E863BA5AB2D300F004054FA0547262C771A820EB61
                                              Function 0057C88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL ref: 0057C8B4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: DialogNtdllProc_
                                              • String ID:
                                              • API String ID: 3239928679-0
                                              • Opcode ID: e7aa5e953c95aafe8d6e3b3327ea3d318dec935bc7ca181f137b4fe40a47cb5e
                                              • Instruction ID: d64dd4e54f4b6ac14b955e0070d82f953b18e28b2d0102cf17def4386124ac73
                                              • Opcode Fuzzy Hash: e7aa5e953c95aafe8d6e3b3327ea3d318dec935bc7ca181f137b4fe40a47cb5e
                                              • Instruction Fuzzy Hash: 27E0E235200208EFCB01DF88E845E863BA5AB2D300F004054FA0547262C771A864EBA1
                                              Function 004F16B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                                • Part of subcall function 004F201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004F20D3
                                                • Part of subcall function 004F201B: KillTimer.USER32(-00000001,?,?,?,?,004F16CB,00000000,?,?,004F1AE2,?,?), ref: 004F216E
                                              • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,004F1AE2,?,?), ref: 004F16D4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                              • String ID:
                                              • API String ID: 2797419724-0
                                              • Opcode ID: 77acf8aa098f6ddcf8ad5ba34599cc9230d8fb1c35acd6a35da695e1e52d841d
                                              • Instruction ID: 7431210089e207cbe498ddd38753b2cdc3000be19dffdaf74d7faa662285bca7
                                              • Opcode Fuzzy Hash: 77acf8aa098f6ddcf8ad5ba34599cc9230d8fb1c35acd6a35da695e1e52d841d
                                              • Instruction Fuzzy Hash: 67D0123124030CBBDA112F51ED27F593E19DB14B54F408025BB04791D3CEB56850B55C
                                              Function 0051A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0051A12A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: eed6e0e62f11923f3c356568766bcd2b0942c1c382bf977baa1171530080eb42
                                              • Instruction ID: a6df6eb9925be787c0bcc7cbe0e12db5cbb263a3d67fd675ee00be5a3d244260
                                              • Opcode Fuzzy Hash: eed6e0e62f11923f3c356568766bcd2b0942c1c382bf977baa1171530080eb42
                                              • Instruction Fuzzy Hash: 88A0113000020CAB8A00AB82FC08888BFACEB002A8B008020F80C800228B32A8A0AA80
                                              Function 00508808 Relevance: .6, Instructions: 590COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e04a870792ce3699c14aa636a897c694ae8a614013e8542c05a42e387b75090c
                                              • Instruction ID: 98798ed97fe92fd85698dbb85d0a9348360eff0785a3d71928e186f487da6130
                                              • Opcode Fuzzy Hash: e04a870792ce3699c14aa636a897c694ae8a614013e8542c05a42e387b75090c
                                              • Instruction Fuzzy Hash: 3B220430A045168BDF38CA24C494BBC7FA1BF41358F28886BD9D68B9D3EB709D91DA41
                                              Function 005121C5 Relevance: .3, Instructions: 345COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                              • Instruction ID: 4912fafb382538fb3960dc4f4d271b1ff8c93adce939f0b42460b00ac2a2e8f9
                                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                              • Instruction Fuzzy Hash: 1AC184362051930AFF2D463994750BEFEA17EA27B171A079DD4B3CB1D4EE20C9B5D620
                                              Function 005125FA Relevance: .3, Instructions: 341COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                              • Instruction ID: 2f3d871056c7251d8cb080d744a7a750437c24bda54dccd06a366ffbe1e08781
                                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                              • Instruction Fuzzy Hash: 65C1A5322055930AFF2D463AD4351BEBEA17EA27B171A07ADD4B3DB0D4EE10C9B4D620
                                              Function 00511978 Relevance: .3, Instructions: 323COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                              • Instruction ID: e96c9be79c406d23a0b0c6b8aa0d915457e2961a43f674db5284f48978402deb
                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                              • Instruction Fuzzy Hash: 50C1A43220989309EF2D4639D4351BEBFA17EA27B131A07DDD5B3CB1C4EE20C9A5D654
                                              Function 00567806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteObject.GDI32(00000000), ref: 0056785B
                                              • DeleteObject.GDI32(00000000), ref: 0056786D
                                              • DestroyWindow.USER32 ref: 0056787B
                                              • GetDesktopWindow.USER32 ref: 00567895
                                              • GetWindowRect.USER32(00000000), ref: 0056789C
                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 005679DD
                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 005679ED
                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00567A35
                                              • GetClientRect.USER32(00000000,?), ref: 00567A41
                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00567A7B
                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00567A9D
                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00567AB0
                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00567ABB
                                              • GlobalLock.KERNEL32(00000000), ref: 00567AC4
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00567AD3
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00567ADC
                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00567AE3
                                              • GlobalFree.KERNEL32(00000000), ref: 00567AEE
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00567B00
                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00582CAC,00000000), ref: 00567B16
                                              • GlobalFree.KERNEL32(00000000), ref: 00567B26
                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00567B4C
                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00567B6B
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00567B8D
                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00567D7A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                              • String ID: $AutoIt v3$DISPLAY$static
                                              • API String ID: 2211948467-2373415609
                                              • Opcode ID: d7c98e54d4d87b0557f064bb98f998754414c77fa6a80876b1aca2007475f335
                                              • Instruction ID: 74e779d94f8459e2e750e9af0cbb3761fead87d0a1812189fb6fa09a006bff95
                                              • Opcode Fuzzy Hash: d7c98e54d4d87b0557f064bb98f998754414c77fa6a80876b1aca2007475f335
                                              • Instruction Fuzzy Hash: 08029E75900119EFDB14DFA4DC89EAE7BB9FF48314F108159F905AB2A1CB30AD45DB60
                                              Function 0057356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?,0057F910), ref: 00573627
                                              • IsWindowVisible.USER32(?), ref: 0057364B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: BuffCharUpperVisibleWindow
                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                              • API String ID: 4105515805-45149045
                                              • Opcode ID: a5dfc4a0efb7ee46dffd7ad716e2985b86d45151b1ac9fa467753753345f3621
                                              • Instruction ID: 9c3224b49737d72e04a2de18da1e635a97ad49012c75ae25abcf13d329e844c5
                                              • Opcode Fuzzy Hash: a5dfc4a0efb7ee46dffd7ad716e2985b86d45151b1ac9fa467753753345f3621
                                              • Instruction Fuzzy Hash: E5D184302143019BCB04EF10D456AAE7FE1BF95364F148859F88A5B3E2DB71EE89EB51
                                              Function 0057A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTextColor.GDI32(?,00000000), ref: 0057A630
                                              • GetSysColorBrush.USER32(0000000F), ref: 0057A661
                                              • GetSysColor.USER32(0000000F), ref: 0057A66D
                                              • SetBkColor.GDI32(?,000000FF), ref: 0057A687
                                              • SelectObject.GDI32(?,00000000), ref: 0057A696
                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0057A6C1
                                              • GetSysColor.USER32(00000010), ref: 0057A6C9
                                              • CreateSolidBrush.GDI32(00000000), ref: 0057A6D0
                                              • FrameRect.USER32(?,?,00000000), ref: 0057A6DF
                                              • DeleteObject.GDI32(00000000), ref: 0057A6E6
                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0057A731
                                              • FillRect.USER32(?,?,00000000), ref: 0057A763
                                              • GetWindowLongW.USER32(?,000000F0), ref: 0057A78E
                                                • Part of subcall function 0057A8CA: GetSysColor.USER32(00000012), ref: 0057A903
                                                • Part of subcall function 0057A8CA: SetTextColor.GDI32(?,?), ref: 0057A907
                                                • Part of subcall function 0057A8CA: GetSysColorBrush.USER32(0000000F), ref: 0057A91D
                                                • Part of subcall function 0057A8CA: GetSysColor.USER32(0000000F), ref: 0057A928
                                                • Part of subcall function 0057A8CA: GetSysColor.USER32(00000011), ref: 0057A945
                                                • Part of subcall function 0057A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0057A953
                                                • Part of subcall function 0057A8CA: SelectObject.GDI32(?,00000000), ref: 0057A964
                                                • Part of subcall function 0057A8CA: SetBkColor.GDI32(?,00000000), ref: 0057A96D
                                                • Part of subcall function 0057A8CA: SelectObject.GDI32(?,?), ref: 0057A97A
                                                • Part of subcall function 0057A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0057A999
                                                • Part of subcall function 0057A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0057A9B0
                                                • Part of subcall function 0057A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0057A9C5
                                                • Part of subcall function 0057A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0057A9ED
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                              • String ID:
                                              • API String ID: 3521893082-0
                                              • Opcode ID: 0216590328da77d6f8222cd43331fd37baf87caac29ca90257257986405eef2f
                                              • Instruction ID: 9a8705c02b92cd16398102c8aef030f55a206a74ab8a28b32c52c97aabd5c97b
                                              • Opcode Fuzzy Hash: 0216590328da77d6f8222cd43331fd37baf87caac29ca90257257986405eef2f
                                              • Instruction Fuzzy Hash: 4F917D72408301EFD711DF64EC08E5F7BA9FF88321F104A29F96A961A0D770D988EB52
                                              Function 005674AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(00000000), ref: 005674DE
                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0056759D
                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 005675DB
                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 005675ED
                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00567633
                                              • GetClientRect.USER32(00000000,?), ref: 0056763F
                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00567683
                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00567692
                                              • GetStockObject.GDI32(00000011), ref: 005676A2
                                              • SelectObject.GDI32(00000000,00000000), ref: 005676A6
                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 005676B6
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005676BF
                                              • DeleteDC.GDI32(00000000), ref: 005676C8
                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005676F4
                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 0056770B
                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00567746
                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0056775A
                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 0056776B
                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0056779B
                                              • GetStockObject.GDI32(00000011), ref: 005677A6
                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005677B1
                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 005677BB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                              • API String ID: 2910397461-517079104
                                              • Opcode ID: b8c872278da1050f297241198d12171eeae9a2219070d702ca30fba35d76c68d
                                              • Instruction ID: ba9bfbdb22f005e1078886a283040b30cf65bbf664ba3624d61127bdd57d17e3
                                              • Opcode Fuzzy Hash: b8c872278da1050f297241198d12171eeae9a2219070d702ca30fba35d76c68d
                                              • Instruction Fuzzy Hash: 13A19071A00609BFEB14DBA4DC4AFAEBBB9FB18714F004215FA15A72E0D774AD04DB64
                                              Function 0055AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 0055AD1E
                                              • GetDriveTypeW.KERNEL32(?,0057FAC0,?,\\.\,0057F910), ref: 0055ADFB
                                              • SetErrorMode.KERNEL32(00000000,0057FAC0,?,\\.\,0057F910), ref: 0055AF59
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ErrorMode$DriveType
                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                              • API String ID: 2907320926-4222207086
                                              • Opcode ID: eab2583d804606f2a8478ef9cfdc3b2ab36fc2e85c56ad7834cddf12444b70c7
                                              • Instruction ID: f92d03fa778cb4e1e0d06a994d2969ec37fb831659eadeac9f747748979ae4fa
                                              • Opcode Fuzzy Hash: eab2583d804606f2a8478ef9cfdc3b2ab36fc2e85c56ad7834cddf12444b70c7
                                              • Instruction Fuzzy Hash: 8551C6B4644209AB8B00EB50CD62CBD7FB1FF49716720465BED07A7291EA309D49EB63
                                              Function 004F68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp
                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                              • API String ID: 1038674560-86951937
                                              • Opcode ID: 89cafd195f51945ca654e178fbff6f6fde72b67afd73103996e40b8ffee2f6b9
                                              • Instruction ID: 6150757b368f876d61eb548e8ffc010f6642be3faaaf146beeef17a9b30e4516
                                              • Opcode Fuzzy Hash: 89cafd195f51945ca654e178fbff6f6fde72b67afd73103996e40b8ffee2f6b9
                                              • Instruction Fuzzy Hash: 468127B060021A7ADB10AA61EC47FBF3F68FF16704F044026FA056A1D6EBB4DE41D6A5
                                              Function 004F2C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(?,?,?), ref: 004F2CA2
                                              • DeleteObject.GDI32(00000000), ref: 004F2CE8
                                              • DeleteObject.GDI32(00000000), ref: 004F2CF3
                                              • DestroyCursor.USER32(00000000), ref: 004F2CFE
                                              • DestroyWindow.USER32(00000000,?,?,?), ref: 004F2D09
                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0052C43B
                                              • 6F640200.COMCTL32(?,000000FF,?), ref: 0052C474
                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0052C89D
                                                • Part of subcall function 004F1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004F2036,?,00000000,?,?,?,?,004F16CB,00000000,?), ref: 004F1B9A
                                              • SendMessageW.USER32(?,00001053), ref: 0052C8DA
                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0052C8F1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: DestroyMessageSendWindow$DeleteObject$CursorF640200InvalidateMoveRect
                                              • String ID: 0
                                              • API String ID: 1497580162-4108050209
                                              • Opcode ID: 7302f601b39bc6731f80b85402315dad79778aad7945bafe5a966ac861e1a98f
                                              • Instruction ID: b7f822156538a965786ee4e108145c24c6b0238230adc54b2f9736c3ddf7de78
                                              • Opcode Fuzzy Hash: 7302f601b39bc6731f80b85402315dad79778aad7945bafe5a966ac861e1a98f
                                              • Instruction Fuzzy Hash: D3129D30200251AFDB24CF24D998BADBFE1FF46300F54456AE559CB2A2C775E886DF91
                                              Function 00579A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00579AD2
                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00579B8B
                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 00579BA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window
                                              • String ID: 0
                                              • API String ID: 2326795674-4108050209
                                              • Opcode ID: 8ef6d6dd3ad2fc7108da6db7edf795e909af53859f39d6f4fe7783e1cb6b6082
                                              • Instruction ID: 2da7f0019500a5e0bc0cdb6e09d2df394ae676a53e83b7de64686edd965075f0
                                              • Opcode Fuzzy Hash: 8ef6d6dd3ad2fc7108da6db7edf795e909af53859f39d6f4fe7783e1cb6b6082
                                              • Instruction Fuzzy Hash: CF02D070104201AFDB25CF24E849BAABFE9FF85314F04892DF99DD62A1C774D844EB62
                                              Function 0057A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000012), ref: 0057A903
                                              • SetTextColor.GDI32(?,?), ref: 0057A907
                                              • GetSysColorBrush.USER32(0000000F), ref: 0057A91D
                                              • GetSysColor.USER32(0000000F), ref: 0057A928
                                              • CreateSolidBrush.GDI32(?), ref: 0057A92D
                                              • GetSysColor.USER32(00000011), ref: 0057A945
                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0057A953
                                              • SelectObject.GDI32(?,00000000), ref: 0057A964
                                              • SetBkColor.GDI32(?,00000000), ref: 0057A96D
                                              • SelectObject.GDI32(?,?), ref: 0057A97A
                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0057A999
                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0057A9B0
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0057A9C5
                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0057A9ED
                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0057AA14
                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 0057AA32
                                              • DrawFocusRect.USER32(?,?), ref: 0057AA3D
                                              • GetSysColor.USER32(00000011), ref: 0057AA4B
                                              • SetTextColor.GDI32(?,00000000), ref: 0057AA53
                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0057AA67
                                              • SelectObject.GDI32(?,0057A5FA), ref: 0057AA7E
                                              • DeleteObject.GDI32(?), ref: 0057AA89
                                              • SelectObject.GDI32(?,?), ref: 0057AA8F
                                              • DeleteObject.GDI32(?), ref: 0057AA94
                                              • SetTextColor.GDI32(?,?), ref: 0057AA9A
                                              • SetBkColor.GDI32(?,?), ref: 0057AAA4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                              • String ID:
                                              • API String ID: 1996641542-0
                                              • Opcode ID: b29854a13cec3356e2495cec0199e090e333b6ad559fceafd176876f6c8bc3b2
                                              • Instruction ID: 7a201ff99af8e3f7e3ca07bfcf119f04c2d2f4a9384e2959621b1f94b4021cf9
                                              • Opcode Fuzzy Hash: b29854a13cec3356e2495cec0199e090e333b6ad559fceafd176876f6c8bc3b2
                                              • Instruction Fuzzy Hash: 3A512D71900208FFDB11DFA4EC48EAE7B79FF48320F118625F919AB2A1D7719994EB50
                                              Function 005789D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00578AC1
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00578AD2
                                              • CharNextW.USER32(0000014E), ref: 00578B01
                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00578B42
                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00578B58
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00578B69
                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00578B86
                                              • SetWindowTextW.USER32(?,0000014E), ref: 00578BD8
                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00578BEE
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00578C1F
                                              • _memset.LIBCMT ref: 00578C44
                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00578C8D
                                              • _memset.LIBCMT ref: 00578CEC
                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00578D16
                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00578D6E
                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 00578E1B
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00578E3D
                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00578E87
                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00578EB4
                                              • DrawMenuBar.USER32(?), ref: 00578EC3
                                              • SetWindowTextW.USER32(?,0000014E), ref: 00578EEB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                              • String ID: 0
                                              • API String ID: 1073566785-4108050209
                                              • Opcode ID: 5de8a4cc0a2eed2a8801c5b252c8e56c6eb475c9e6b899a08c5e93714055c32d
                                              • Instruction ID: e5eb331c0351338ad39529ba6f290439749774bc18deda95f369e6668919873e
                                              • Opcode Fuzzy Hash: 5de8a4cc0a2eed2a8801c5b252c8e56c6eb475c9e6b899a08c5e93714055c32d
                                              • Instruction Fuzzy Hash: 7CE15E70940219ABDB21DF50EC88EFE7F79FF49720F108156F919AA290DB709984EF60
                                              Function 0057488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32(?), ref: 005749CA
                                              • GetDesktopWindow.USER32 ref: 005749DF
                                              • GetWindowRect.USER32(00000000), ref: 005749E6
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00574A48
                                              • DestroyWindow.USER32(?), ref: 00574A74
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00574A9D
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00574ABB
                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00574AE1
                                              • SendMessageW.USER32(?,00000421,?,?), ref: 00574AF6
                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00574B09
                                              • IsWindowVisible.USER32(?), ref: 00574B29
                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00574B44
                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00574B58
                                              • GetWindowRect.USER32(?,?), ref: 00574B70
                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00574B96
                                              • GetMonitorInfoW.USER32(00000000,?), ref: 00574BB0
                                              • CopyRect.USER32(?,?), ref: 00574BC7
                                              • SendMessageW.USER32(?,00000412,00000000), ref: 00574C32
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                              • String ID: ($0$tooltips_class32
                                              • API String ID: 698492251-4156429822
                                              • Opcode ID: 6c5702b8514fcaa2d42db6d4234bfe99ed0a5ed512092b18902425398c225714
                                              • Instruction ID: bb40b55c7658118ef63780a812e39adaf2e74dc989e676cd7187ce83c66d11e1
                                              • Opcode Fuzzy Hash: 6c5702b8514fcaa2d42db6d4234bfe99ed0a5ed512092b18902425398c225714
                                              • Instruction Fuzzy Hash: A4B17770608340AFDB04DF65E848B6ABBE5BB88304F00891DF99D9B2A1D771EC45DF96
                                              Function 004F27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004F28BC
                                              • GetSystemMetrics.USER32(00000007), ref: 004F28C4
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004F28EF
                                              • GetSystemMetrics.USER32(00000008), ref: 004F28F7
                                              • GetSystemMetrics.USER32(00000004), ref: 004F291C
                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004F2939
                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004F2949
                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004F297C
                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004F2990
                                              • GetClientRect.USER32(00000000,000000FF), ref: 004F29AE
                                              • GetStockObject.GDI32(00000011), ref: 004F29CA
                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 004F29D5
                                                • Part of subcall function 004F2344: GetCursorPos.USER32(?), ref: 004F2357
                                                • Part of subcall function 004F2344: ScreenToClient.USER32(005B57B0,?), ref: 004F2374
                                                • Part of subcall function 004F2344: GetAsyncKeyState.USER32(00000001), ref: 004F2399
                                                • Part of subcall function 004F2344: GetAsyncKeyState.USER32(00000002), ref: 004F23A7
                                              • SetTimer.USER32(00000000,00000000,00000028,004F1256), ref: 004F29FC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                              • String ID: AutoIt v3 GUI
                                              • API String ID: 1458621304-248962490
                                              • Opcode ID: 0ae98f1a98c5b8c9364343659e827eb708eb98806761bef00a37a40ec416bd42
                                              • Instruction ID: 3b0d0b4f638363e86ec94b2112d7351d384b8363a659acda3649096512ee01ca
                                              • Opcode Fuzzy Hash: 0ae98f1a98c5b8c9364343659e827eb708eb98806761bef00a37a40ec416bd42
                                              • Instruction Fuzzy Hash: 54B18E71A0020AEFDB14DFA8DD45BAE7BB5FF18314F10422AFA15A72E0DB74A841DB54
                                              Function 0055449A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _wcscat$A1560_wcscmp_wcscpy_wcsncpy_wcsstr
                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                              • API String ID: 3483108802-1459072770
                                              • Opcode ID: 270a8e9693d42426a04aad3794a5b7629ec8bf81d3a3dce848501fb412dad33a
                                              • Instruction ID: fe46942e2296a30a470e4f37beda4d9945e89f9d629295fd466e18ffdad3c833
                                              • Opcode Fuzzy Hash: 270a8e9693d42426a04aad3794a5b7629ec8bf81d3a3dce848501fb412dad33a
                                              • Instruction Fuzzy Hash: 104109315002057BEB14EA74DC4BEFF7FACFF86710F040466F904A6182EB7499919BA5
                                              Function 0054A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassNameW.USER32(?,?,00000100), ref: 0054A47A
                                              • __swprintf.LIBCMT ref: 0054A51B
                                              • _wcscmp.LIBCMT ref: 0054A52E
                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0054A583
                                              • _wcscmp.LIBCMT ref: 0054A5BF
                                              • GetClassNameW.USER32(?,?,00000400), ref: 0054A5F6
                                              • GetDlgCtrlID.USER32(?), ref: 0054A648
                                              • GetWindowRect.USER32(?,?), ref: 0054A67E
                                              • GetParent.USER32(?), ref: 0054A69C
                                              • ScreenToClient.USER32(00000000), ref: 0054A6A3
                                              • GetClassNameW.USER32(?,?,00000100), ref: 0054A71D
                                              • _wcscmp.LIBCMT ref: 0054A731
                                              • GetWindowTextW.USER32(?,?,00000400), ref: 0054A757
                                              • _wcscmp.LIBCMT ref: 0054A76B
                                                • Part of subcall function 0051362C: _iswctype.LIBCMT ref: 00513634
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                              • String ID: %s%u
                                              • API String ID: 3744389584-679674701
                                              • Opcode ID: 0144e2a6154cea34622827b6e1bd8aed02d1a96c7335991461bc5a0650222888
                                              • Instruction ID: c05172e773fbed5eed318273abaf3a5df4901270a517824c780ed41b6265e9e3
                                              • Opcode Fuzzy Hash: 0144e2a6154cea34622827b6e1bd8aed02d1a96c7335991461bc5a0650222888
                                              • Instruction Fuzzy Hash: 17A1C171244606AFDB55DF60C888BEABFE8FF84318F008529F999C2190DB30E955CB92
                                              Function 0054AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 0054AF18
                                              • _wcscmp.LIBCMT ref: 0054AF29
                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0054AF51
                                              • CharUpperBuffW.USER32(?,00000000), ref: 0054AF6E
                                              • _wcscmp.LIBCMT ref: 0054AF8C
                                              • _wcsstr.LIBCMT ref: 0054AF9D
                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0054AFD5
                                              • _wcscmp.LIBCMT ref: 0054AFE5
                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0054B00C
                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0054B055
                                              • _wcscmp.LIBCMT ref: 0054B065
                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 0054B08D
                                              • GetWindowRect.USER32(00000004,?), ref: 0054B0F6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                              • String ID: @$ThumbnailClass
                                              • API String ID: 1788623398-1539354611
                                              • Opcode ID: 9f958ed9a4f79b0f489cc206e05d04aead48c882e8d2c410a64ba11f62d4bc88
                                              • Instruction ID: 89508d6ad5d9559e448fdffc90c4fa6db38a5caed2b6735e99feba180b713c4d
                                              • Opcode Fuzzy Hash: 9f958ed9a4f79b0f489cc206e05d04aead48c882e8d2c410a64ba11f62d4bc88
                                              • Instruction Fuzzy Hash: 53818271108206ABEB05DF14C885FEA7FE8FF94718F04846AFD899A095DB34DD89CB61
                                              Function 0054ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp
                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                              • API String ID: 1038674560-1810252412
                                              • Opcode ID: 2d5a2e487cde96407651798b6bc8b8c9d629364e633d5233a3abbede47085925
                                              • Instruction ID: 46f2ddb225eefd6e64652f856f4572ddb9bc70f0327dbc1f923d96b7949726b8
                                              • Opcode Fuzzy Hash: 2d5a2e487cde96407651798b6bc8b8c9d629364e633d5233a3abbede47085925
                                              • Instruction Fuzzy Hash: C631B031A8820EAAEB44EA60DD57EFE7FA4BB15718F60041AB501710D2EE696F04C656
                                              Function 00564FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00565013
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 0056501E
                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00565029
                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00565034
                                              • LoadCursorW.USER32(00000000,00007F01), ref: 0056503F
                                              • LoadCursorW.USER32(00000000,00007F81), ref: 0056504A
                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00565055
                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00565060
                                              • LoadCursorW.USER32(00000000,00007F86), ref: 0056506B
                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00565076
                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00565081
                                              • LoadCursorW.USER32(00000000,00007F82), ref: 0056508C
                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00565097
                                              • LoadCursorW.USER32(00000000,00007F04), ref: 005650A2
                                              • LoadCursorW.USER32(00000000,00007F02), ref: 005650AD
                                              • LoadCursorW.USER32(00000000,00007F89), ref: 005650B8
                                              • GetCursorInfo.USER32(?), ref: 005650C8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Cursor$Load$Info
                                              • String ID:
                                              • API String ID: 2577412497-0
                                              • Opcode ID: 593c66603ca7290f9f2a853ab6273ae44dc96b7701d2571f2bb7398ee12f33ae
                                              • Instruction ID: 69a5d76d75e3911532d49a63f036fdc778a88851aba41a6b68a901deb9d942b4
                                              • Opcode Fuzzy Hash: 593c66603ca7290f9f2a853ab6273ae44dc96b7701d2571f2bb7398ee12f33ae
                                              • Instruction Fuzzy Hash: 0331E1B1D483196ADF209FB68C8996EBFE8FB04750F50453AA54DE7280EA78A504CF91
                                              Function 0057A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0057A259
                                              • DestroyWindow.USER32(?,?), ref: 0057A2D3
                                                • Part of subcall function 004F7BCC: _memmove.LIBCMT ref: 004F7C06
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0057A34D
                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0057A36F
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0057A382
                                              • DestroyWindow.USER32(00000000), ref: 0057A3A4
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004F0000,00000000), ref: 0057A3DB
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0057A3F4
                                              • GetDesktopWindow.USER32 ref: 0057A40D
                                              • GetWindowRect.USER32(00000000), ref: 0057A414
                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0057A42C
                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0057A444
                                                • Part of subcall function 004F25DB: GetWindowLongW.USER32(?,000000EB), ref: 004F25EC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                              • String ID: 0$tooltips_class32
                                              • API String ID: 1297703922-3619404913
                                              • Opcode ID: 2d26f943b19609d817383f7f0d6617cdd362bd0d066bb760c4537cc5e9023124
                                              • Instruction ID: 9c32e6f086b94a3a28e81703805d443b299e8a7c66515d797c86bbe54c303386
                                              • Opcode Fuzzy Hash: 2d26f943b19609d817383f7f0d6617cdd362bd0d066bb760c4537cc5e9023124
                                              • Instruction Fuzzy Hash: 7771E270140204AFDB25CF28EC48F6A7BE6FB88304F04891DF989872A0D775E946EB52
                                              Function 00574392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 00574424
                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0057446F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: BuffCharMessageSendUpper
                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                              • API String ID: 3974292440-4258414348
                                              • Opcode ID: 4fe32d7bda70afb0151b0513ff34323c2869a2de444559d6848095a9b9e6b7de
                                              • Instruction ID: ef415521c1bd706addeebd6adc883157b332be9587dbd06cfc55b21e3b588f94
                                              • Opcode Fuzzy Hash: 4fe32d7bda70afb0151b0513ff34323c2869a2de444559d6848095a9b9e6b7de
                                              • Instruction Fuzzy Hash: 1D916C702043019FCB04EF10D455AAEBBE1BF96354F04886DF99A5B3A2CB34ED89DB81
                                              Function 0057B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0057B8B4
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005791C2), ref: 0057B910
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0057B949
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0057B98C
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0057B9C3
                                              • FreeLibrary.KERNEL32(?), ref: 0057B9CF
                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0057B9DF
                                              • DestroyCursor.USER32(?), ref: 0057B9EE
                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0057BA0B
                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0057BA17
                                                • Part of subcall function 00512EFD: __wcsicmp_l.LIBCMT ref: 00512F86
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                              • String ID: .dll$.exe$.icl
                                              • API String ID: 3907162815-1154884017
                                              • Opcode ID: a26a6aa5964dede096e26fd8dd7c94f8e8473663b7ef942d8931e012a61e67ff
                                              • Instruction ID: 6e4f68ea244350682b1f010854f895fb3589f102616c99d92ab1e29b3970486a
                                              • Opcode Fuzzy Hash: a26a6aa5964dede096e26fd8dd7c94f8e8473663b7ef942d8931e012a61e67ff
                                              • Instruction Fuzzy Hash: 9F61E071504219BAFB14DF64EC45FBE7BACFB08710F108519FA29D61C0DB749990EBA0
                                              Function 0055A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F9837: __itow.LIBCMT ref: 004F9862
                                                • Part of subcall function 004F9837: __swprintf.LIBCMT ref: 004F98AC
                                              • CharLowerBuffW.USER32(?,?), ref: 0055A3CB
                                              • GetDriveTypeW.KERNEL32 ref: 0055A418
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0055A460
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0055A497
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0055A4C5
                                                • Part of subcall function 004F7BCC: _memmove.LIBCMT ref: 004F7C06
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                              • API String ID: 2698844021-4113822522
                                              • Opcode ID: c3df747e9e9d4a11e81725265dfce49bacb64327359ed67c0570e427e26bcbe1
                                              • Instruction ID: 5a4111125423f738f6f094a1c001b14c517f3f59d54b7c85bf019d4411433f4f
                                              • Opcode Fuzzy Hash: c3df747e9e9d4a11e81725265dfce49bacb64327359ed67c0570e427e26bcbe1
                                              • Instruction Fuzzy Hash: 0E5179711042099FC700EF21C89187EBBE4FF95358F00896EF99A572A1DB75AD0ACB42
                                              Function 0054F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0052E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0054F8DF
                                              • LoadStringW.USER32(00000000,?,0052E029,00000001), ref: 0054F8E8
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0052E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0054F90A
                                              • LoadStringW.USER32(00000000,?,0052E029,00000001), ref: 0054F90D
                                              • __swprintf.LIBCMT ref: 0054F95D
                                              • __swprintf.LIBCMT ref: 0054F96E
                                              • _wprintf.LIBCMT ref: 0054FA17
                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0054FA2E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                              • API String ID: 984253442-2268648507
                                              • Opcode ID: 384ea3ed7086cc0fd715ddee63ca299b8cabcd81caeaf9874067a00fe111b95f
                                              • Instruction ID: f2161e0db3b8ab916457cfbefa9b176a7ad542297eef5837b3b398ef659d49af
                                              • Opcode Fuzzy Hash: 384ea3ed7086cc0fd715ddee63ca299b8cabcd81caeaf9874067a00fe111b95f
                                              • Instruction Fuzzy Hash: B141707280010DAADF04FBE5DD96EFE7B78EF54304F50006AB605B6091EA396F49CB65
                                              Function 0057BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00579207,?,?), ref: 0057BA56
                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00579207,?,?,00000000,?), ref: 0057BA6D
                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00579207,?,?,00000000,?), ref: 0057BA78
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00579207,?,?,00000000,?), ref: 0057BA85
                                              • GlobalLock.KERNEL32(00000000), ref: 0057BA8E
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00579207,?,?,00000000,?), ref: 0057BA9D
                                              • GlobalUnlock.KERNEL32(00000000), ref: 0057BAA6
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00579207,?,?,00000000,?), ref: 0057BAAD
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0057BABE
                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00582CAC,?), ref: 0057BAD7
                                              • GlobalFree.KERNEL32(00000000), ref: 0057BAE7
                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0057BB0B
                                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0057BB36
                                              • DeleteObject.GDI32(00000000), ref: 0057BB5E
                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0057BB74
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                              • String ID:
                                              • API String ID: 3840717409-0
                                              • Opcode ID: 572a5a187bbc39715ff3d8f85165071a0593371e23a5ea78037b852eb0ce13fa
                                              • Instruction ID: 04ac34593bd08634f7b283b00afe6c251094c1175fb63fd73504faced9329fa4
                                              • Opcode Fuzzy Hash: 572a5a187bbc39715ff3d8f85165071a0593371e23a5ea78037b852eb0ce13fa
                                              • Instruction Fuzzy Hash: D7410675600208AFDB11DF65EC88EAABBB9FB99715F108068F90DD7260D7309A45EB60
                                              Function 004F6A8C Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 478COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00510957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,004F6B0C,?,00008000), ref: 00510973
                                                • Part of subcall function 004F4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F4743,?,?,004F37AE,?), ref: 004F4770
                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 004F6BAD
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 004F6CFA
                                                • Part of subcall function 004F586D: _wcscpy.LIBCMT ref: 004F58A5
                                                • Part of subcall function 0051363D: _iswctype.LIBCMT ref: 00513645
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$/vO$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                              • API String ID: 537147316-1300567987
                                              • Opcode ID: 3e42da468829a6a3b88969878aa1dd642271e57afbaea1927c9f2e665939ddaf
                                              • Instruction ID: ce6036255ce9eb78aa03604d23de46d3fcf63eae457033f9e93be9f4ed85d9d1
                                              • Opcode Fuzzy Hash: 3e42da468829a6a3b88969878aa1dd642271e57afbaea1927c9f2e665939ddaf
                                              • Instruction Fuzzy Hash: 1802CC301083459FCB14EF24D8819AFBBE5FF99318F00491EF68A972A1DB38D949CB56
                                              Function 0055D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                              Download Yara Rule
                                              APIs
                                              • __wsplitpath.LIBCMT ref: 0055DA10
                                              • _wcscat.LIBCMT ref: 0055DA28
                                              • _wcscat.LIBCMT ref: 0055DA3A
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0055DA4F
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0055DA63
                                              • GetFileAttributesW.KERNEL32(?), ref: 0055DA7B
                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 0055DA95
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0055DAA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                              • String ID: *.*
                                              • API String ID: 34673085-438819550
                                              • Opcode ID: ecc220be7c67c286ec723f2b911e0fbb2552267442b74221a3d9d0669d971ff1
                                              • Instruction ID: 85334b23b26325ffa173fa30f336537bb925d372ef0bb68a8d827955f320e1e0
                                              • Opcode Fuzzy Hash: ecc220be7c67c286ec723f2b911e0fbb2552267442b74221a3d9d0669d971ff1
                                              • Instruction Fuzzy Hash: E8818E725042459FCB34EF64C854AAABBF4BF89315F14482FF889C7251E634D949CB62
                                              Function 0056731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 0056738F
                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0056739B
                                              • CreateCompatibleDC.GDI32(?), ref: 005673A7
                                              • SelectObject.GDI32(00000000,?), ref: 005673B4
                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00567408
                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00567444
                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00567468
                                              • SelectObject.GDI32(00000006,?), ref: 00567470
                                              • DeleteObject.GDI32(?), ref: 00567479
                                              • DeleteDC.GDI32(00000006), ref: 00567480
                                              • ReleaseDC.USER32(00000000,?), ref: 0056748B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                              • String ID: (
                                              • API String ID: 2598888154-3887548279
                                              • Opcode ID: b8cae8f14d123e5adfee57637dddc42c730d2a5edcec218c7e4b250a7035b3d4
                                              • Instruction ID: 5b3b59339785d46e1bdbb2f32d3cc2caeff65c676050fb036242ff240f5ae2f9
                                              • Opcode Fuzzy Hash: b8cae8f14d123e5adfee57637dddc42c730d2a5edcec218c7e4b250a7035b3d4
                                              • Instruction Fuzzy Hash: 4E513771A04209EFCB14CFA8DC88EAEBBB9FF48310F148929F95A97310C771A944DB50
                                              Function 00552D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00552D50
                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00552DDD
                                              • GetMenuItemCount.USER32(005B5890), ref: 00552E66
                                              • DeleteMenu.USER32(005B5890,00000005,00000000,000000F5,?,?), ref: 00552EF6
                                              • DeleteMenu.USER32(005B5890,00000004,00000000), ref: 00552EFE
                                              • DeleteMenu.USER32(005B5890,00000006,00000000), ref: 00552F06
                                              • DeleteMenu.USER32(005B5890,00000003,00000000), ref: 00552F0E
                                              • GetMenuItemCount.USER32(005B5890), ref: 00552F16
                                              • SetMenuItemInfoW.USER32(005B5890,00000004,00000000,00000030), ref: 00552F4C
                                              • GetCursorPos.USER32(?), ref: 00552F56
                                              • SetForegroundWindow.USER32(00000000), ref: 00552F5F
                                              • TrackPopupMenuEx.USER32(005B5890,00000000,?,00000000,00000000,00000000), ref: 00552F72
                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00552F7E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                              • String ID:
                                              • API String ID: 3993528054-0
                                              • Opcode ID: 9e5d2f9c0baaa8bd256b3edd613a82274d840a1d1aac9dcaeb8a47a0a00aca34
                                              • Instruction ID: 849eb6fab77ad6af481a67375a29790331a10708ad8894a55362c75403e01766
                                              • Opcode Fuzzy Hash: 9e5d2f9c0baaa8bd256b3edd613a82274d840a1d1aac9dcaeb8a47a0a00aca34
                                              • Instruction Fuzzy Hash: E7710970601205BFEB218F54EC9AFAABF68FF46315F140217FA19AA1E0C7716C58DB51
                                              Function 005477DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F7BCC: _memmove.LIBCMT ref: 004F7C06
                                              • _memset.LIBCMT ref: 0054786B
                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005478A0
                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005478BC
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005478D8
                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00547902
                                              • CLSIDFromString.COMBASE(?,?), ref: 0054792A
                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00547935
                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0054793A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                              • API String ID: 1411258926-22481851
                                              • Opcode ID: 08db27475e354e4148cdba27481ff94691fea5c32bcaf6f4a977a8d2e1423d52
                                              • Instruction ID: 6db5cc697bddeb5294a3da396fce157d56f693b6f388478f63caca5fe4269099
                                              • Opcode Fuzzy Hash: 08db27475e354e4148cdba27481ff94691fea5c32bcaf6f4a977a8d2e1423d52
                                              • Instruction Fuzzy Hash: 0541277281422DAADF11EBA5DC95DFDBB78FF18714F00402AE905A2261EB385D08CB94
                                              Function 00570E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0056FDAD,?,?), ref: 00570E31
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                              • API String ID: 3964851224-909552448
                                              • Opcode ID: 9461f754f84a942cb13889a64c3cb965581d4c32b941224f8d6fd981b844e57f
                                              • Instruction ID: 4842a83490ea58667d4e209b62b300fa7f7eefff975bb2f03dac5f061dded911
                                              • Opcode Fuzzy Hash: 9461f754f84a942cb13889a64c3cb965581d4c32b941224f8d6fd981b844e57f
                                              • Instruction Fuzzy Hash: 5941793110025ACBDF10EF10E899AEF3FA4BF56304F14A415FC591B2D2DB74A99ADBA0
                                              Function 0054F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0052E2A0,00000010,?,Bad directive syntax error,0057F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0054F7C2
                                              • LoadStringW.USER32(00000000,?,0052E2A0,00000010), ref: 0054F7C9
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                              • _wprintf.LIBCMT ref: 0054F7FC
                                              • __swprintf.LIBCMT ref: 0054F81E
                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0054F88D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                              • API String ID: 1506413516-4153970271
                                              • Opcode ID: 6a6d2553add18f2c09c6112d8df10913ee88a955f6be06ecdd5c1d0473c1224c
                                              • Instruction ID: 9f0d09145c0552816f6cb00ef8f651fd7cf3e54c053d735c01ae38837a3ae0b9
                                              • Opcode Fuzzy Hash: 6a6d2553add18f2c09c6112d8df10913ee88a955f6be06ecdd5c1d0473c1224c
                                              • Instruction Fuzzy Hash: 1521803290021EEFDF11EF90DC1AEFE7B39BF18304F04046AF605660A1EA759A58DB55
                                              Function 005552C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F7BCC: _memmove.LIBCMT ref: 004F7C06
                                                • Part of subcall function 004F7924: _memmove.LIBCMT ref: 004F79AD
                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00555330
                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00555346
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00555357
                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00555369
                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0055537A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: SendString$_memmove
                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                              • API String ID: 2279737902-1007645807
                                              • Opcode ID: efa4cc186d0b0f74c503715b4497c4949728ff3ae4888dbaa6388d9562771afa
                                              • Instruction ID: aec2c3fcf3c9b69c080226150d720bfe8e5f57ddf5de90048cb9546e524c6eae
                                              • Opcode Fuzzy Hash: efa4cc186d0b0f74c503715b4497c4949728ff3ae4888dbaa6388d9562771afa
                                              • Instruction Fuzzy Hash: E811B63095016D79E720BB72CC69DFF7F7CFB92B44F00082AB905920D1EDA40D04C5A0
                                              Function 005546B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                              • String ID: 0.0.0.0
                                              • API String ID: 208665112-3771769585
                                              • Opcode ID: c25a37c4a98a64136d3498bf50701e949593fc0357471bd9cece851c7d392f55
                                              • Instruction ID: fa5b2def0eb38dfbd9fc0d5776a5f3bc859ee175c5aaa23b47a08755d785c5eb
                                              • Opcode Fuzzy Hash: c25a37c4a98a64136d3498bf50701e949593fc0357471bd9cece851c7d392f55
                                              • Instruction Fuzzy Hash: 0411F331510105ABDB14AB70AC4AEEA7FBCFB56316F0401BAF849D2091EB7099CA9B51
                                              Function 00554F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • timeGetTime.WINMM ref: 00554F7A
                                                • Part of subcall function 0051049F: timeGetTime.WINMM(?,76C1B400,00500E7B), ref: 005104A3
                                              • Sleep.KERNEL32(0000000A), ref: 00554FA6
                                              • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00554FCA
                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00554FEC
                                              • SetActiveWindow.USER32 ref: 0055500B
                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00555019
                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00555038
                                              • Sleep.KERNEL32(000000FA), ref: 00555043
                                              • IsWindow.USER32 ref: 0055504F
                                              • EndDialog.USER32(00000000), ref: 00555060
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                              • String ID: BUTTON
                                              • API String ID: 1194449130-3405671355
                                              • Opcode ID: 26cb25f2b0b21ac767cefa737288d7aa9f16702a0d60126c41ae9dc98e9ef4dd
                                              • Instruction ID: 6f7e4a4980f65b5e354eb54f1d0e8ad082cd0c581411c4fe1e7d89f79cda55fb
                                              • Opcode Fuzzy Hash: 26cb25f2b0b21ac767cefa737288d7aa9f16702a0d60126c41ae9dc98e9ef4dd
                                              • Instruction Fuzzy Hash: 0721C571204601AFE7609F20FC98B263F69FB64746F541125F809812F1EB61AD9CFB71
                                              Function 0055D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F9837: __itow.LIBCMT ref: 004F9862
                                                • Part of subcall function 004F9837: __swprintf.LIBCMT ref: 004F98AC
                                              • CoInitialize.OLE32(00000000), ref: 0055D5EA
                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0055D67D
                                              • SHGetDesktopFolder.SHELL32(?), ref: 0055D691
                                              • CoCreateInstance.COMBASE(00582D7C,00000000,00000001,005A8C1C,?), ref: 0055D6DD
                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0055D74C
                                              • CoTaskMemFree.COMBASE(?), ref: 0055D7A4
                                              • _memset.LIBCMT ref: 0055D7E1
                                              • SHBrowseForFolderW.SHELL32(?), ref: 0055D81D
                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0055D840
                                              • CoTaskMemFree.COMBASE(00000000), ref: 0055D847
                                              • CoTaskMemFree.COMBASE(00000000), ref: 0055D87E
                                              • CoUninitialize.COMBASE ref: 0055D880
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                              • String ID:
                                              • API String ID: 1246142700-0
                                              • Opcode ID: 7d1761f0471937b1e72d15d6ecba25dba2d642c5978a042a8ed8506ab7dd6cd7
                                              • Instruction ID: d3b3cdc07fcd12a639601dec51af7b933c887790eac729a1787f180bbfdf0a65
                                              • Opcode Fuzzy Hash: 7d1761f0471937b1e72d15d6ecba25dba2d642c5978a042a8ed8506ab7dd6cd7
                                              • Instruction Fuzzy Hash: 20B11D75A00109AFDB14DFA4C898EAEBBB9FF48305F048469F909EB261DB30ED45DB50
                                              Function 0054C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,00000001), ref: 0054C283
                                              • GetWindowRect.USER32(00000000,?), ref: 0054C295
                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0054C2F3
                                              • GetDlgItem.USER32(?,00000002), ref: 0054C2FE
                                              • GetWindowRect.USER32(00000000,?), ref: 0054C310
                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0054C364
                                              • GetDlgItem.USER32(?,000003E9), ref: 0054C372
                                              • GetWindowRect.USER32(00000000,?), ref: 0054C383
                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0054C3C6
                                              • GetDlgItem.USER32(?,000003EA), ref: 0054C3D4
                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0054C3F1
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0054C3FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$ItemMoveRect$Invalidate
                                              • String ID:
                                              • API String ID: 3096461208-0
                                              • Opcode ID: c0c99d77b40acd0f288643810df8edc4993a414911eac18f47fcbe81735cbaff
                                              • Instruction ID: b28b88a3761375a2d95e311896af4036ecaadc8e156d205d22557c5500933b57
                                              • Opcode Fuzzy Hash: c0c99d77b40acd0f288643810df8edc4993a414911eac18f47fcbe81735cbaff
                                              • Instruction Fuzzy Hash: 5E517D71B00205ABDB08CFA9DD89AAEBBBAFB98711F14852DF509D7290D7B09D449B10
                                              Function 004F21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F25DB: GetWindowLongW.USER32(?,000000EB), ref: 004F25EC
                                              • GetSysColor.USER32(0000000F), ref: 004F21D3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ColorLongWindow
                                              • String ID:
                                              • API String ID: 259745315-0
                                              • Opcode ID: 68b49e0f4a60b2114c85f1f1ecbb9a4a56b5dc465e30d35592a1139a590da073
                                              • Instruction ID: 604d5ee27b4d62873fa32bfabe54b538a3fe9c3843a529fa18c75e9cae856fd5
                                              • Opcode Fuzzy Hash: 68b49e0f4a60b2114c85f1f1ecbb9a4a56b5dc465e30d35592a1139a590da073
                                              • Instruction Fuzzy Hash: 5241F731000114DFEB259F28ED88BB93B65FB16331F2543A6FE658A2E1C7758C82EB15
                                              Function 0055A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?,0057F910), ref: 0055A90B
                                              • GetDriveTypeW.KERNEL32(00000061,005A89A0,00000061), ref: 0055A9D5
                                              • _wcscpy.LIBCMT ref: 0055A9FF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: BuffCharDriveLowerType_wcscpy
                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                              • API String ID: 2820617543-1000479233
                                              • Opcode ID: 4591b34654e8196ff6a0874d257f438f0b8264ed1a109584eedb699311f88aa9
                                              • Instruction ID: 463eb59d6977ba94a0ddedfacaa7effab8dbb9456c4cae9f1acb1ddfafad752b
                                              • Opcode Fuzzy Hash: 4591b34654e8196ff6a0874d257f438f0b8264ed1a109584eedb699311f88aa9
                                              • Instruction Fuzzy Hash: 0D519831118301AFC304EF14C8A2ABFBBE5FF85745F14492EF996572A2DB709949CA53
                                              Function 004F9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __i64tow__itow__swprintf
                                              • String ID: %.15g$0x%p$False$True
                                              • API String ID: 421087845-2263619337
                                              • Opcode ID: d02c856e68f39160ac7aff325df4f005f425801534fb901f0da7b3f7cee9324e
                                              • Instruction ID: b002698a73edb86595b89368fef5e558f6bc0606197d8a1a729b039715721d9d
                                              • Opcode Fuzzy Hash: d02c856e68f39160ac7aff325df4f005f425801534fb901f0da7b3f7cee9324e
                                              • Instruction Fuzzy Hash: 8141C67161020A9EEB24EF34E845EBA7BF8FF46300F20487FE549D6291EA759D428B11
                                              Function 00577152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0057716A
                                              • CreateMenu.USER32 ref: 00577185
                                              • SetMenu.USER32(?,00000000), ref: 00577194
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00577221
                                              • IsMenu.USER32(?), ref: 00577237
                                              • CreatePopupMenu.USER32 ref: 00577241
                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0057726E
                                              • DrawMenuBar.USER32 ref: 00577276
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                              • String ID: 0$F
                                              • API String ID: 176399719-3044882817
                                              • Opcode ID: 97c55365140da52f2953863523a453096ae640860cacb6c632c823f312959167
                                              • Instruction ID: d8120829913caeb03ca97d25058e7e3f731f9964d623cf3edf74924599f0cde5
                                              • Opcode Fuzzy Hash: 97c55365140da52f2953863523a453096ae640860cacb6c632c823f312959167
                                              • Instruction Fuzzy Hash: 97416878A01209EFDB20DF64E884F9A7BB5FF59310F144028F919A7361D731A914EFA0
                                              Function 005774BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0057755E
                                              • CreateCompatibleDC.GDI32(00000000), ref: 00577565
                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00577578
                                              • SelectObject.GDI32(00000000,00000000), ref: 00577580
                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0057758B
                                              • DeleteDC.GDI32(00000000), ref: 00577594
                                              • GetWindowLongW.USER32(?,000000EC), ref: 0057759E
                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 005775B2
                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 005775BE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                              • String ID: static
                                              • API String ID: 2559357485-2160076837
                                              • Opcode ID: f150750fb6ec5b2257847d75c50fd7deeff0376fd16d4b0968d8c6e1cdefbe28
                                              • Instruction ID: 941879d52fb0e3acf2c91e61e7e01ce1e7cda607f9bfff33248a9fb3d60f6dcc
                                              • Opcode Fuzzy Hash: f150750fb6ec5b2257847d75c50fd7deeff0376fd16d4b0968d8c6e1cdefbe28
                                              • Instruction Fuzzy Hash: DA316772104219ABDF119F64FC08FEA3F69FF1D320F104224FA19A21A0D731D865EBA4
                                              Function 00516E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00516E3E
                                                • Part of subcall function 00518B28: __getptd_noexit.LIBCMT ref: 00518B28
                                              • __gmtime64_s.LIBCMT ref: 00516ED7
                                              • __gmtime64_s.LIBCMT ref: 00516F0D
                                              • __gmtime64_s.LIBCMT ref: 00516F2A
                                              • __allrem.LIBCMT ref: 00516F80
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00516F9C
                                              • __allrem.LIBCMT ref: 00516FB3
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00516FD1
                                              • __allrem.LIBCMT ref: 00516FE8
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00517006
                                              • __invoke_watson.LIBCMT ref: 00517077
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                              • String ID:
                                              • API String ID: 384356119-0
                                              • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                              • Instruction ID: fb1a2ba6bc99a7376aa3b8292900187cadf438164c576422ee6f73316439d4ef
                                              • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                              • Instruction Fuzzy Hash: 9171E776A00717ABF714AE6CDC45BABBBB8BF49320F144639F514D62C1E770E9808B90
                                              Function 00552527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00552542
                                              • GetMenuItemInfoW.USER32(005B5890,000000FF,00000000,00000030), ref: 005525A3
                                              • SetMenuItemInfoW.USER32(005B5890,00000004,00000000,00000030), ref: 005525D9
                                              • Sleep.KERNEL32(000001F4), ref: 005525EB
                                              • GetMenuItemCount.USER32(?), ref: 0055262F
                                              • GetMenuItemID.USER32(?,00000000), ref: 0055264B
                                              • GetMenuItemID.USER32(?,-00000001), ref: 00552675
                                              • GetMenuItemID.USER32(?,?), ref: 005526BA
                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00552700
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00552714
                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00552735
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                              • String ID:
                                              • API String ID: 4176008265-0
                                              • Opcode ID: d7e34113f8f6e8566bea523024aff614537371fcc7709a4a658f70eb623fb069
                                              • Instruction ID: 31cad9df7e7700c2da248c5ab62c78822e05eb62240a8a4b603df2b6a998d5f9
                                              • Opcode Fuzzy Hash: d7e34113f8f6e8566bea523024aff614537371fcc7709a4a658f70eb623fb069
                                              • Instruction Fuzzy Hash: 47619F70900249AFDF11CF64DCA8ABE7FB8FB46306F14055AEC41A7251DB31AD49EB21
                                              Function 00576F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00576FA5
                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00576FA8
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00576FCC
                                              • _memset.LIBCMT ref: 00576FDD
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00576FEF
                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00577067
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$LongWindow_memset
                                              • String ID:
                                              • API String ID: 830647256-0
                                              • Opcode ID: 9b07540eb6c30bb2078dab1060076ca584a224770b979669a751cae79b1ecc54
                                              • Instruction ID: 433a7bdb7d88aba616a4bfcacfa629930ee6fbeb409a33e47dea204e9fa5b474
                                              • Opcode Fuzzy Hash: 9b07540eb6c30bb2078dab1060076ca584a224770b979669a751cae79b1ecc54
                                              • Instruction Fuzzy Hash: DA618D71A00208AFDB11DFA4EC85FEE7BB8FB49700F104159FA18A72A1D771AD45EB50
                                              Function 00546B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00546BBF
                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00546C18
                                              • VariantInit.OLEAUT32(?), ref: 00546C2A
                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00546C4A
                                              • VariantCopy.OLEAUT32(?,?), ref: 00546C9D
                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00546CB1
                                              • VariantClear.OLEAUT32(?), ref: 00546CC6
                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00546CD3
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00546CDC
                                              • VariantClear.OLEAUT32(?), ref: 00546CEE
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00546CF9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                              • String ID:
                                              • API String ID: 2706829360-0
                                              • Opcode ID: bb42aab87540d1b3a6b28309ec9b32e6e808d19b68ae0a6b0deb43f721a2424d
                                              • Instruction ID: e15bb0398d5e0c31d89400b3a64155507c3f51b2768dabd5972499568f5995ce
                                              • Opcode Fuzzy Hash: bb42aab87540d1b3a6b28309ec9b32e6e808d19b68ae0a6b0deb43f721a2424d
                                              • Instruction Fuzzy Hash: A3416E31A001199FCF04DF69D888AEEBBB9FF58354F008069E955E7261CB30AD49DBA1
                                              Function 005683BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F9837: __itow.LIBCMT ref: 004F9862
                                                • Part of subcall function 004F9837: __swprintf.LIBCMT ref: 004F98AC
                                              • CoInitialize.OLE32 ref: 00568403
                                              • CoUninitialize.COMBASE ref: 0056840E
                                              • CoCreateInstance.COMBASE(?,00000000,00000017,00582BEC,?), ref: 0056846E
                                              • IIDFromString.COMBASE(?,?), ref: 005684E1
                                              • VariantInit.OLEAUT32(?), ref: 0056857B
                                              • VariantClear.OLEAUT32(?), ref: 005685DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                              • API String ID: 834269672-1287834457
                                              • Opcode ID: 573062eb7a02eefc18733193415776c653a1222beb438c2a488ffe9ffe553366
                                              • Instruction ID: 0c6feb67e2fcf97e25bdbcfbbdc2e8fe5fec244ab566ce098685b473c4ae299f
                                              • Opcode Fuzzy Hash: 573062eb7a02eefc18733193415776c653a1222beb438c2a488ffe9ffe553366
                                              • Instruction Fuzzy Hash: 03618E70608712AFC710DF14D848F6ABBE8BF59758F044A1DF9869B291DB70ED48CB92
                                              Function 00565732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSAStartup.WS2_32(00000101,?), ref: 00565793
                                              • inet_addr.WS2_32(?), ref: 005657D8
                                              • gethostbyname.WS2_32(?), ref: 005657E4
                                              • IcmpCreateFile.IPHLPAPI ref: 005657F2
                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00565862
                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00565878
                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 005658ED
                                              • WSACleanup.WS2_32 ref: 005658F3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                              • String ID: Ping
                                              • API String ID: 1028309954-2246546115
                                              • Opcode ID: 08f6879b0535f50073ef0fb1211c749bb013a45406451d8b0762883507af42ca
                                              • Instruction ID: 33407badb91be002464b9b752bce3de4c47cd359c9148d7df31af1e3f77f2937
                                              • Opcode Fuzzy Hash: 08f6879b0535f50073ef0fb1211c749bb013a45406451d8b0762883507af42ca
                                              • Instruction Fuzzy Hash: F6518D316446009FD710EF25DC89B6A7BE4FF48724F14492AFA5ADB2A1EB30EC44DB42
                                              Function 0055B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 0055B4D0
                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0055B546
                                              • GetLastError.KERNEL32 ref: 0055B550
                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 0055B5BD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Error$Mode$DiskFreeLastSpace
                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                              • API String ID: 4194297153-14809454
                                              • Opcode ID: b923a437b12a44dacee3c0d522ee355760f6acf7950cdc60762efa95e08d3f30
                                              • Instruction ID: 608ef99a741850fb428597f43fd016401fe1a25da4a6c931c576993f88cc5623
                                              • Opcode Fuzzy Hash: b923a437b12a44dacee3c0d522ee355760f6acf7950cdc60762efa95e08d3f30
                                              • Instruction Fuzzy Hash: 8731A175A002099FEB04EB68C899EBD7FB4FF49306F10406BFA0597291FB709A49CB51
                                              Function 00548F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                                • Part of subcall function 0054AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0054AABC
                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00549014
                                              • GetDlgCtrlID.USER32 ref: 0054901F
                                              • GetParent.USER32 ref: 0054903B
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0054903E
                                              • GetDlgCtrlID.USER32(?), ref: 00549047
                                              • GetParent.USER32(?), ref: 00549063
                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00549066
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 1536045017-1403004172
                                              • Opcode ID: 9f4998618be212226d6268588bad03f40faceeed94ff4e85d418f8fb6fac78eb
                                              • Instruction ID: 1c77a8a1d511c3eb7b8b4f5515e2b8948b3ac0226c5204bba684d21800c1c826
                                              • Opcode Fuzzy Hash: 9f4998618be212226d6268588bad03f40faceeed94ff4e85d418f8fb6fac78eb
                                              • Instruction Fuzzy Hash: 9921D674A00108BFDF04EBA1DC89EFEBB78FF59310F10015AB925972A1DB795859EB20
                                              Function 0054907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                                • Part of subcall function 0054AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0054AABC
                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 005490FD
                                              • GetDlgCtrlID.USER32 ref: 00549108
                                              • GetParent.USER32 ref: 00549124
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00549127
                                              • GetDlgCtrlID.USER32(?), ref: 00549130
                                              • GetParent.USER32(?), ref: 0054914C
                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0054914F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 1536045017-1403004172
                                              • Opcode ID: 433141c1191c702130cfb96d09d01a3f1ef2a76a4e3f975dd182fa6f787e32f2
                                              • Instruction ID: f60cc2fba2eec589416fee5426dd84deabf9fd10785c13a8e1fd1adcb504e6d9
                                              • Opcode Fuzzy Hash: 433141c1191c702130cfb96d09d01a3f1ef2a76a4e3f975dd182fa6f787e32f2
                                              • Instruction Fuzzy Hash: 0F21F574A00109BFDF00EBA1DC89EFEBB78FF58300F00001ABA15972A1DB794859EB20
                                              Function 00549163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32 ref: 0054916F
                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00549184
                                              • _wcscmp.LIBCMT ref: 00549196
                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00549211
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameParentSend_wcscmp
                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                              • API String ID: 1704125052-3381328864
                                              • Opcode ID: 2f6272c26772322019b3768b57c07a4c43db3a776aeb8d880af6f96ccb56b1fc
                                              • Instruction ID: ba114e46a4749569daa8a0b5c5d4069067a2a1d55f5c81f2498b7d65ef89a5ee
                                              • Opcode Fuzzy Hash: 2f6272c26772322019b3768b57c07a4c43db3a776aeb8d880af6f96ccb56b1fc
                                              • Instruction Fuzzy Hash: 1511CA3A24C30BBDFB152624EC0BDFB3F9CFB55724F200526FA14A54D1FEA268A16654
                                              Function 005688AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 005688D7
                                              • CoInitialize.OLE32(00000000), ref: 00568904
                                              • CoUninitialize.COMBASE ref: 0056890E
                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 00568A0E
                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00568B3B
                                              • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00582C0C), ref: 00568B6F
                                              • CoGetObject.OLE32(?,00000000,00582C0C,?), ref: 00568B92
                                              • SetErrorMode.KERNEL32(00000000), ref: 00568BA5
                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00568C25
                                              • VariantClear.OLEAUT32(?), ref: 00568C35
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                              • String ID:
                                              • API String ID: 2395222682-0
                                              • Opcode ID: c41856b9013752080e6fb2dace9ae0a8d052ccd938e25e5cccc634b858741882
                                              • Instruction ID: d65affd14a4405ad17ab42ad1c3c45236b5922bd310ef017685eb3114a659544
                                              • Opcode Fuzzy Hash: c41856b9013752080e6fb2dace9ae0a8d052ccd938e25e5cccc634b858741882
                                              • Instruction Fuzzy Hash: 6CC126B1608305AFD700DF64C88492BBBE9FF89348F004A5DF98A9B261DB71ED45CB52
                                              Function 00557990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                              Download Yara Rule
                                              APIs
                                              • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00557A6C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ArraySafeVartype
                                              • String ID:
                                              • API String ID: 1725837607-0
                                              • Opcode ID: e34ca9888c234f818af4c8322754c8e75f983d85a3187f518e97638173d5c1b8
                                              • Instruction ID: 5d17944f8f39054e0c1e32feb6b0472d9b6a2542ac3269211732af1f6bbb162f
                                              • Opcode Fuzzy Hash: e34ca9888c234f818af4c8322754c8e75f983d85a3187f518e97638173d5c1b8
                                              • Instruction Fuzzy Hash: 61B16D7190421E9FDB00DF94E8A5BBEBBB5FF49322F20442AE901E7241D774AD49DB90
                                              Function 005511CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThreadId.KERNEL32 ref: 005511F0
                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00550268,?,00000001), ref: 00551204
                                              • GetWindowThreadProcessId.USER32(00000000), ref: 0055120B
                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00550268,?,00000001), ref: 0055121A
                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0055122C
                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00550268,?,00000001), ref: 00551245
                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00550268,?,00000001), ref: 00551257
                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00550268,?,00000001), ref: 0055129C
                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00550268,?,00000001), ref: 005512B1
                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00550268,?,00000001), ref: 005512BC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                              • String ID:
                                              • API String ID: 2156557900-0
                                              • Opcode ID: 5ae79b2e1c892078a3fa984fff41c880453ebb867944fcbfcac2bd0bfc0269b5
                                              • Instruction ID: 7343b8f6b66d2aaf43acb3a487f06b58d634a8d5bffae04f81841a83d07ce058
                                              • Opcode Fuzzy Hash: 5ae79b2e1c892078a3fa984fff41c880453ebb867944fcbfcac2bd0bfc0269b5
                                              • Instruction Fuzzy Hash: 00319E79A00604BBDB10DF55FD98F797FA9FB64312F104226FD04C61A0D778AD88AB64
                                              Function 004FFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004FFAA6
                                              • OleUninitialize.OLE32(?,00000000), ref: 004FFB45
                                              • UnregisterHotKey.USER32(?), ref: 004FFC9C
                                              • DestroyWindow.USER32(?), ref: 005345D6
                                              • FreeLibrary.KERNEL32(?), ref: 0053463B
                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00534668
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                              • String ID: close all
                                              • API String ID: 469580280-3243417748
                                              • Opcode ID: 7ed75ffd344168d72f8013665670ba1f37274907aa78b61b724cfcf6eed4f220
                                              • Instruction ID: 90af82264094c3484fe235552f9d0cc613badd364abe93f9e57101685f53892e
                                              • Opcode Fuzzy Hash: 7ed75ffd344168d72f8013665670ba1f37274907aa78b61b724cfcf6eed4f220
                                              • Instruction Fuzzy Hash: AAA1B030701216CFDB29EF10C5A9A79FB64BF45710F1042AEE90AAB261DB34EC5ACF54
                                              Function 0054A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnumChildWindows.USER32(?,0054A439), ref: 0054A377
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ChildEnumWindows
                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                              • API String ID: 3555792229-1603158881
                                              • Opcode ID: 62cddc4ecca9f97cc2056f1f175e8c73dcdcc50062e578803b952f2974fe63ff
                                              • Instruction ID: 575954c845ee080e8b781918090e750f96905ecd2bc9428a7bd1b764cae5b05b
                                              • Opcode Fuzzy Hash: 62cddc4ecca9f97cc2056f1f175e8c73dcdcc50062e578803b952f2974fe63ff
                                              • Instruction Fuzzy Hash: 3591F63160460AAFDB48DFA0C846BEEFFB4BF44308F54851AE849A7181DF7069D9DB91
                                              Function 004F2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowLongW.USER32(?,000000EB), ref: 004F2EAE
                                                • Part of subcall function 004F1DB3: GetClientRect.USER32(?,?), ref: 004F1DDC
                                                • Part of subcall function 004F1DB3: GetWindowRect.USER32(?,?), ref: 004F1E1D
                                                • Part of subcall function 004F1DB3: ScreenToClient.USER32(?,?), ref: 004F1E45
                                              • GetDC.USER32 ref: 0052CD32
                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0052CD45
                                              • SelectObject.GDI32(00000000,00000000), ref: 0052CD53
                                              • SelectObject.GDI32(00000000,00000000), ref: 0052CD68
                                              • ReleaseDC.USER32(?,00000000), ref: 0052CD70
                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0052CDFB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                              • String ID: U
                                              • API String ID: 4009187628-3372436214
                                              • Opcode ID: c645709d624a701d7ba82a02c0d9523843d8d2d2e32848b49d0c4e31f604b307
                                              • Instruction ID: 3506f20204a88e0047de09028fe7369f06b5cb588865ab045fb88e18a7616141
                                              • Opcode Fuzzy Hash: c645709d624a701d7ba82a02c0d9523843d8d2d2e32848b49d0c4e31f604b307
                                              • Instruction Fuzzy Hash: 9B71D131500209DFCF258F64E884ABE3FB5FF5A310F24427AED595A2A6D7309C85EB60
                                              Function 00561A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00561A50
                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00561A7C
                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00561ABE
                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00561AD3
                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00561AE0
                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00561B10
                                              • InternetCloseHandle.WININET(00000000), ref: 00561B57
                                                • Part of subcall function 00562483: GetLastError.KERNEL32(?,?,00561817,00000000,00000000,00000001), ref: 00562498
                                                • Part of subcall function 00562483: SetEvent.KERNEL32(?,?,00561817,00000000,00000000,00000001), ref: 005624AD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                              • String ID:
                                              • API String ID: 2603140658-3916222277
                                              • Opcode ID: 1924fabf2d935719fb59d3db0dce8bca099c59539b42181d2f40f1e9437513a1
                                              • Instruction ID: 3b5fdaed96e65ddd79af4b766ce1eb43f484224e5edb71b6919a71dd18b42732
                                              • Opcode Fuzzy Hash: 1924fabf2d935719fb59d3db0dce8bca099c59539b42181d2f40f1e9437513a1
                                              • Instruction Fuzzy Hash: 21418EB1501A09BFEB158F50DC89FFA7BACFF08354F044126F9059B151EB709E449BA4
                                              Function 00568C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0057F910), ref: 00568D28
                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0057F910), ref: 00568D5C
                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00568ED6
                                              • SysFreeString.OLEAUT32(?), ref: 00568F00
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                              • String ID:
                                              • API String ID: 560350794-0
                                              • Opcode ID: c7bd3c5457914f145e9497841861910f2a8175a316c3622b1c2758df6f8bb2a6
                                              • Instruction ID: dc517c0dec8a77ec8d72e05ea1b7e259f073883526d18e95c8097e7e19923512
                                              • Opcode Fuzzy Hash: c7bd3c5457914f145e9497841861910f2a8175a316c3622b1c2758df6f8bb2a6
                                              • Instruction Fuzzy Hash: 65F14871A00209EFCF14DF94C888EBEBBB9BF49314F108599F915AB251DB31AE45DB50
                                              Function 0056F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0056F6B5
                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0056F848
                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0056F86C
                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0056F8AC
                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0056F8CE
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0056FA4A
                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0056FA7C
                                              • CloseHandle.KERNEL32(?), ref: 0056FAAB
                                              • CloseHandle.KERNEL32(?), ref: 0056FB22
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                              • String ID:
                                              • API String ID: 4090791747-0
                                              • Opcode ID: a2a19e2d6f7d7d6eb8c5ad34e641592d67bd5c598968521d8ad359b978cd265a
                                              • Instruction ID: d62958dc7be44f39b1e1036db001b420a3e78abdd5c8fbf2dfa01f7faf203986
                                              • Opcode Fuzzy Hash: a2a19e2d6f7d7d6eb8c5ad34e641592d67bd5c598968521d8ad359b978cd265a
                                              • Instruction Fuzzy Hash: 84E1AE31A042019FD714EF25E895B6ABFE1FF85354F14896DF8998B2A2CB30EC45CB52
                                              Function 004F201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004F2036,?,00000000,?,?,?,?,004F16CB,00000000,?), ref: 004F1B9A
                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004F20D3
                                              • KillTimer.USER32(-00000001,?,?,?,?,004F16CB,00000000,?,?,004F1AE2,?,?), ref: 004F216E
                                              • DestroyAcceleratorTable.USER32(00000000), ref: 0052BCA6
                                              • DeleteObject.GDI32(00000000), ref: 0052BD1C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                              • String ID:
                                              • API String ID: 2402799130-0
                                              • Opcode ID: 6e68531cb094120fc24be6ef98f75a0e4df66ede716f1acc5c160cdfba55d397
                                              • Instruction ID: e8024a1d30153afa3d30653716ed33032c2c15b9693b3a4455209b1ff4db1ea5
                                              • Opcode Fuzzy Hash: 6e68531cb094120fc24be6ef98f75a0e4df66ede716f1acc5c160cdfba55d397
                                              • Instruction Fuzzy Hash: 6161BF31100A15DFDB399F14EA48B367BF1FF54302F20452AE246466B0CBB8B885EF49
                                              Function 00554CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0055466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00553697,?), ref: 0055468B
                                                • Part of subcall function 0055466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00553697,?), ref: 005546A4
                                                • Part of subcall function 00554A31: GetFileAttributesW.KERNEL32(?,0055370B), ref: 00554A32
                                              • lstrcmpiW.KERNEL32(?,?), ref: 00554D40
                                              • _wcscmp.LIBCMT ref: 00554D5A
                                              • MoveFileW.KERNEL32(?,?), ref: 00554D75
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                              • String ID:
                                              • API String ID: 793581249-0
                                              • Opcode ID: 1d8640699c2d7193b7526a6bbdef73b881e448c5c7eb1d6fba656a27e9fcbff7
                                              • Instruction ID: cac90fb8a1ceb9932a71c196bcfc0f9a96a4344e853702af960c598400401674
                                              • Opcode Fuzzy Hash: 1d8640699c2d7193b7526a6bbdef73b881e448c5c7eb1d6fba656a27e9fcbff7
                                              • Instruction Fuzzy Hash: 3A514FB20083459BC724DBA4D8959EB77ECAF84355F40092FB689D3151EE34A58CCB56
                                              Function 00578645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005786FF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: InvalidateRect
                                              • String ID:
                                              • API String ID: 634782764-0
                                              • Opcode ID: 3910ea66445b4030137518ae4ef81e133c9311ab6e175d01a0bcbd9cb4276118
                                              • Instruction ID: 434717ed250cc248228148490d0a30a9fffe984911e9ba1c88a0cea27ffcead2
                                              • Opcode Fuzzy Hash: 3910ea66445b4030137518ae4ef81e133c9311ab6e175d01a0bcbd9cb4276118
                                              • Instruction Fuzzy Hash: 3451A130680204BEEB249F25AC8DFBD3F64FB15714F608516FA1DD61A1CB72A980FB51
                                              Function 004F2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0052C2F7
                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0052C319
                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0052C331
                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0052C34F
                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0052C370
                                              • DestroyCursor.USER32(00000000), ref: 0052C37F
                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0052C39C
                                              • DestroyCursor.USER32(?), ref: 0052C3AB
                                                • Part of subcall function 0057A4AF: DeleteObject.GDI32(00000000), ref: 0057A4E8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                              • String ID:
                                              • API String ID: 2975913752-0
                                              • Opcode ID: 64b510ab680d3dc11904f95c2233e751f4d4348454b913754fd09ab8e71cff20
                                              • Instruction ID: 32bdb85cb3b716208f159fcd208d08e13ea074a0a29b52261a89595936f96e7c
                                              • Opcode Fuzzy Hash: 64b510ab680d3dc11904f95c2233e751f4d4348454b913754fd09ab8e71cff20
                                              • Instruction Fuzzy Hash: CC517870600209AFDB24DF65DD45BAE3BB5FF68310F204929FA0697290DBB4AD91EB50
                                              Function 0054966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0054A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0054A84C
                                                • Part of subcall function 0054A82C: GetCurrentThreadId.KERNEL32 ref: 0054A853
                                                • Part of subcall function 0054A82C: AttachThreadInput.USER32(00000000,?,00549683,?,00000001), ref: 0054A85A
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0054968E
                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005496AB
                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 005496AE
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 005496B7
                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005496D5
                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005496D8
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 005496E1
                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005496F8
                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005496FB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                              • String ID:
                                              • API String ID: 2014098862-0
                                              • Opcode ID: 221bce22017734c473cfd0ac8531cc35da1a560181c9ac3350d263cf16fce0cf
                                              • Instruction ID: fe03d4d04142ed44b3a35663b1b50aabdca7bea141a49a84d9118827c0bc4af2
                                              • Opcode Fuzzy Hash: 221bce22017734c473cfd0ac8531cc35da1a560181c9ac3350d263cf16fce0cf
                                              • Instruction Fuzzy Hash: DE118671550618BFF610AB60EC4DF6A7E1DEB5C765F510425F2489B0A0C9F25C50EBA4
                                              Function 00548921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0054853C,00000B00,?,?), ref: 0054892A
                                              • RtlAllocateHeap.NTDLL(00000000,?,0054853C), ref: 00548931
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0054853C,00000B00,?,?), ref: 00548946
                                              • GetCurrentProcess.KERNEL32(?,00000000,?,0054853C,00000B00,?,?), ref: 0054894E
                                              • DuplicateHandle.KERNEL32(00000000,?,0054853C,00000B00,?,?), ref: 00548951
                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0054853C,00000B00,?,?), ref: 00548961
                                              • GetCurrentProcess.KERNEL32(0054853C,00000000,?,0054853C,00000B00,?,?), ref: 00548969
                                              • DuplicateHandle.KERNEL32(00000000,?,0054853C,00000B00,?,?), ref: 0054896C
                                              • CreateThread.KERNEL32(00000000,00000000,00548992,00000000,00000000,00000000), ref: 00548986
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                              • String ID:
                                              • API String ID: 1422014791-0
                                              • Opcode ID: dc6112cab23b4ec5db781fbc2eda1386169285a5f640d018bc5ae8e9a0d6ce86
                                              • Instruction ID: 532ca864fa7f18f64e004e510ee00796df3b4ef11f1c3713cd479dca033ae323
                                              • Opcode Fuzzy Hash: dc6112cab23b4ec5db781fbc2eda1386169285a5f640d018bc5ae8e9a0d6ce86
                                              • Instruction Fuzzy Hash: 6E01AC75240304FFE610EFA5EC49F6B3B6CEB99711F404421FA09DB191CA709844EB20
                                              Function 00569113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$_memset
                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                              • API String ID: 2862541840-625585964
                                              • Opcode ID: 3181225cc70424c8c58a078effa79676c431181d50cd765ed3c55ed7ec583ac5
                                              • Instruction ID: c0c3ebc168004b167328d5aee83f503de7a5dddb6918fa2d5e539bf3ea246c00
                                              • Opcode Fuzzy Hash: 3181225cc70424c8c58a078effa79676c431181d50cd765ed3c55ed7ec583ac5
                                              • Instruction Fuzzy Hash: E3917C71A00219EBDF24DFA5D848FAEBBB8FF85710F108959F915AB280D7709945CBA0
                                              Function 0056975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0054710A: CLSIDFromProgID.COMBASE ref: 00547127
                                                • Part of subcall function 0054710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00547142
                                                • Part of subcall function 0054710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00547044,80070057,?,?), ref: 00547150
                                                • Part of subcall function 0054710A: CoTaskMemFree.COMBASE(00000000), ref: 00547160
                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00569806
                                              • _memset.LIBCMT ref: 00569813
                                              • _memset.LIBCMT ref: 00569956
                                              • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00569982
                                              • CoTaskMemFree.COMBASE(?), ref: 0056998D
                                              Strings
                                              • NULL Pointer assignment, xrefs: 005699DB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                              • String ID: NULL Pointer assignment
                                              • API String ID: 1300414916-2785691316
                                              • Opcode ID: 47aa1fb3fc30d11a9320ea284b70e4fa766c10c59465ee7f83e8fc431e0767c3
                                              • Instruction ID: 1945be17c72ef0a1653fcc59e16e8ed0a5f0e76b55444a813ee4a5900ae766ef
                                              • Opcode Fuzzy Hash: 47aa1fb3fc30d11a9320ea284b70e4fa766c10c59465ee7f83e8fc431e0767c3
                                              • Instruction Fuzzy Hash: CD911671D0021DEBDB10DFA5DC85EEEBBB9BF08314F10415AE519A7291EB719A44CFA0
                                              Function 00576D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00576E24
                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00576E38
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00576E52
                                              • _wcscat.LIBCMT ref: 00576EAD
                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00576EC4
                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00576EF2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window_wcscat
                                              • String ID: SysListView32
                                              • API String ID: 307300125-78025650
                                              • Opcode ID: 5b20d00e6ac6201db1858bcd3e180d7f7af6c7d8db6a9893645be3fc6d62257e
                                              • Instruction ID: 03315e08218409b4faaf010d69c4b901f3a8654c87b0842f69617f921195dfad
                                              • Opcode Fuzzy Hash: 5b20d00e6ac6201db1858bcd3e180d7f7af6c7d8db6a9893645be3fc6d62257e
                                              • Instruction Fuzzy Hash: 0641B270A00319AFEB21DF64EC85BEE7BE8FF08750F10446AF948E7191D6719D84AB60
                                              Function 0056E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00553C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00553C7A
                                                • Part of subcall function 00553C55: Process32FirstW.KERNEL32(00000000,?), ref: 00553C88
                                                • Part of subcall function 00553C55: CloseHandle.KERNEL32(00000000), ref: 00553D52
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0056E9A4
                                              • GetLastError.KERNEL32 ref: 0056E9B7
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0056E9E6
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0056EA63
                                              • GetLastError.KERNEL32(00000000), ref: 0056EA6E
                                              • CloseHandle.KERNEL32(00000000), ref: 0056EAA3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                              • String ID: SeDebugPrivilege
                                              • API String ID: 2533919879-2896544425
                                              • Opcode ID: 2b311a95e9f177d02afcf8c8355da64da26fb675a1e404ce2cfb7957946ebef8
                                              • Instruction ID: 260bd2948d23a1595b4c8e551f7eb196f14d696c54b2a302bb9aa574b62c7b5f
                                              • Opcode Fuzzy Hash: 2b311a95e9f177d02afcf8c8355da64da26fb675a1e404ce2cfb7957946ebef8
                                              • Instruction Fuzzy Hash: 5E41AC312002019FDB14EF64CC9AFBDBBA5BF90358F088459F9069B2C2DB75AC48DB95
                                              Function 00552F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadIconW.USER32(00000000,00007F03), ref: 00553033
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: IconLoad
                                              • String ID: blank$info$question$stop$warning
                                              • API String ID: 2457776203-404129466
                                              • Opcode ID: e4749434da6974a1c0eb50120108076883b2ff82e64cd8d7f09443b162aecdd3
                                              • Instruction ID: 6eac71a03ac12dda320e09243995915033998b8a349910486e53000a88602f66
                                              • Opcode Fuzzy Hash: e4749434da6974a1c0eb50120108076883b2ff82e64cd8d7f09443b162aecdd3
                                              • Instruction Fuzzy Hash: 3D11083164C346BAE7159A14DC5ACBF7F9CBF1A3A1F10002BFD08A61C1DA655F4856A0
                                              Function 005542F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00554312
                                              • LoadStringW.USER32(00000000), ref: 00554319
                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0055432F
                                              • LoadStringW.USER32(00000000), ref: 00554336
                                              • _wprintf.LIBCMT ref: 0055435C
                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0055437A
                                              Strings
                                              • %s (%d) : ==> %s: %s %s, xrefs: 00554357
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: HandleLoadModuleString$Message_wprintf
                                              • String ID: %s (%d) : ==> %s: %s %s
                                              • API String ID: 3648134473-3128320259
                                              • Opcode ID: 2e62d5771cf618075118826af4ee90792b231e700df901103a258bb6a95d6a6e
                                              • Instruction ID: 7a18c2091f9fe6fe6fc5e03c65693c8e58ebb41de6ecc39a1c564cc19cc34ef1
                                              • Opcode Fuzzy Hash: 2e62d5771cf618075118826af4ee90792b231e700df901103a258bb6a95d6a6e
                                              • Instruction Fuzzy Hash: BD0144F6900208BFE751D790ED89EF6776CEB08701F4005A5BB49E2051EA745EC95B70
                                              Function 004F2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0052C1C7,00000004,00000000,00000000,00000000), ref: 004F2ACF
                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0052C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 004F2B17
                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0052C1C7,00000004,00000000,00000000,00000000), ref: 0052C21A
                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0052C1C7,00000004,00000000,00000000,00000000), ref: 0052C286
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ShowWindow
                                              • String ID:
                                              • API String ID: 1268545403-0
                                              • Opcode ID: 1b933c1e693c647f66340b3f2158f82e47da5f246d8fd20bbefe312495f7fa02
                                              • Instruction ID: 61423e72e7b3365e29cf2b6afe3470d152ff1ab43154ae9c0d0245b00c7a0a7e
                                              • Opcode Fuzzy Hash: 1b933c1e693c647f66340b3f2158f82e47da5f246d8fd20bbefe312495f7fa02
                                              • Instruction Fuzzy Hash: 6D413130A04A84DACB798B399E9C77F7F91FF96300F24841FE247426A1C6BDA845E715
                                              Function 005570C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 005570DD
                                                • Part of subcall function 00510DB6: std::exception::exception.LIBCMT ref: 00510DEC
                                                • Part of subcall function 00510DB6: __CxxThrowException@8.LIBCMT ref: 00510E01
                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00557114
                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00557130
                                              • _memmove.LIBCMT ref: 0055717E
                                              • _memmove.LIBCMT ref: 0055719B
                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 005571AA
                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005571BF
                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 005571DE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                              • String ID:
                                              • API String ID: 256516436-0
                                              • Opcode ID: 1fc134a449fe3c98198689a5c7d238f58dd7dd5b6007764d219daedba749823e
                                              • Instruction ID: 3f9b47848dd8c0e8d3a1176bfb7d54f721dab8f2d0c037cc2165524a6d919d6a
                                              • Opcode Fuzzy Hash: 1fc134a449fe3c98198689a5c7d238f58dd7dd5b6007764d219daedba749823e
                                              • Instruction Fuzzy Hash: 47317035900205EBDF00EFA5EC899AEBB78FF89311F1441A5FD049B286DB709E94DB60
                                              Function 005761D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteObject.GDI32(00000000), ref: 005761EB
                                              • GetDC.USER32(00000000), ref: 005761F3
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005761FE
                                              • ReleaseDC.USER32(00000000,00000000), ref: 0057620A
                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00576246
                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00576257
                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0057902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00576291
                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005762B1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                              • String ID:
                                              • API String ID: 3864802216-0
                                              • Opcode ID: abc2b32f8a1e67c0ce472b581cec398ddf013384013335c6cb030aa56ba5c80c
                                              • Instruction ID: a2c7828a9176aaf3ee2a94a23143ac10b0b7c19841a59430e94f43390729f7bb
                                              • Opcode Fuzzy Hash: abc2b32f8a1e67c0ce472b581cec398ddf013384013335c6cb030aa56ba5c80c
                                              • Instruction Fuzzy Hash: 78319F76101610BFEB118F10EC8AFEA3FA9FF59765F044065FE0C9A292C6759C81EB60
                                              Function 004F1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ea1e6ff22f6aa4096c7e8d6fcf3f9b59c038b0f946d1e15df6cceb5bd043588
                                              • Instruction ID: 13678ac67fd989d851844c7551f1b13439d3e3b7d2fc9fc7382594fd25a40357
                                              • Opcode Fuzzy Hash: 6ea1e6ff22f6aa4096c7e8d6fcf3f9b59c038b0f946d1e15df6cceb5bd043588
                                              • Instruction Fuzzy Hash: 5B716D30900119EFDB04CF99CC88EBEBB79FF85314F14815AFA15AA261C734AA51DBA5
                                              Function 0057B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindow.USER32(01795DE0), ref: 0057B3EB
                                              • IsWindowEnabled.USER32(01795DE0), ref: 0057B3F7
                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0057B4DB
                                              • SendMessageW.USER32(01795DE0,000000B0,?,?), ref: 0057B512
                                              • IsDlgButtonChecked.USER32(?,?), ref: 0057B54F
                                              • GetWindowLongW.USER32(01795DE0,000000EC), ref: 0057B571
                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0057B589
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                              • String ID:
                                              • API String ID: 4072528602-0
                                              • Opcode ID: 734cbd7399f62e9ed449954c0c660be88ee6526d33e24a23e1f908b049b3334d
                                              • Instruction ID: 71587a9f568237001c53d7003b4131392aaefdd1068adcd65dcd7c88ac5f6248
                                              • Opcode Fuzzy Hash: 734cbd7399f62e9ed449954c0c660be88ee6526d33e24a23e1f908b049b3334d
                                              • Instruction Fuzzy Hash: 6F718D34604604AFEF259F54E894FBA7FBAFF09300F148559F949972A2D732A980EB50
                                              Function 0056F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0056F448
                                              • _memset.LIBCMT ref: 0056F511
                                              • ShellExecuteExW.SHELL32(?), ref: 0056F556
                                                • Part of subcall function 004F9837: __itow.LIBCMT ref: 004F9862
                                                • Part of subcall function 004F9837: __swprintf.LIBCMT ref: 004F98AC
                                                • Part of subcall function 0050FC86: _wcscpy.LIBCMT ref: 0050FCA9
                                              • GetProcessId.KERNEL32(00000000), ref: 0056F5CD
                                              • CloseHandle.KERNEL32(00000000), ref: 0056F5FC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                              • String ID: @
                                              • API String ID: 3522835683-2766056989
                                              • Opcode ID: 349e51f37158204a9a81cbc912e75919c015ca083b386024d7fba8d469c10968
                                              • Instruction ID: f07a0b762e08e0cfeb76e921f2312ce3f385d55a51c3fd802999f831d33cb26f
                                              • Opcode Fuzzy Hash: 349e51f37158204a9a81cbc912e75919c015ca083b386024d7fba8d469c10968
                                              • Instruction Fuzzy Hash: 6161AC71E006199FCF14EFA5D485AAEBBB5FF48314F14806AE81AAB351CB34AD41CB94
                                              Function 00550F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32(?), ref: 00550F8C
                                              • GetKeyboardState.USER32(?), ref: 00550FA1
                                              • SetKeyboardState.USER32(?), ref: 00551002
                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00551030
                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 0055104F
                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00551095
                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 005510B8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessagePost$KeyboardState$Parent
                                              • String ID:
                                              • API String ID: 87235514-0
                                              • Opcode ID: 7c4926ff42b717aaadb1578dd09c0c65a77036717303253bc58bb4ad6ceccc17
                                              • Instruction ID: 0dcaf2abff0d0d9f69e0998f1c9637f463b8f432a8401efc36f3fed5896be987
                                              • Opcode Fuzzy Hash: 7c4926ff42b717aaadb1578dd09c0c65a77036717303253bc58bb4ad6ceccc17
                                              • Instruction Fuzzy Hash: 945105A0504BD53EFB3652348C29BBABEA97F06305F08458AE9D5468D3C2D4ECCCD755
                                              Function 00550D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32(00000000), ref: 00550DA5
                                              • GetKeyboardState.USER32(?), ref: 00550DBA
                                              • SetKeyboardState.USER32(?), ref: 00550E1B
                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00550E47
                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00550E64
                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00550EA8
                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00550EC9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessagePost$KeyboardState$Parent
                                              • String ID:
                                              • API String ID: 87235514-0
                                              • Opcode ID: af4ba5a7362a42f614b745234f95db84e9082ef71c93e0485b9b28826d9eb230
                                              • Instruction ID: fd23d132e26f56c5a3118ebcdf3123de5ee1216ad3d75f93b1fbd1182d96b4ab
                                              • Opcode Fuzzy Hash: af4ba5a7362a42f614b745234f95db84e9082ef71c93e0485b9b28826d9eb230
                                              • Instruction Fuzzy Hash: 615118A05047D57DFB3283748C66BBA7FA97F06301F18988AE9D4468C2C395EC8CE750
                                              Function 005555FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _wcsncpy$LocalTime
                                              • String ID:
                                              • API String ID: 2945705084-0
                                              • Opcode ID: c95727b2b35e72ec6b173645ca4b06554ebba54430ea9665a62df05c32573e92
                                              • Instruction ID: 8aa73eedc3bd8c424223e407472134c0b5d8b1ed72216223ac56f017b78c9cbf
                                              • Opcode Fuzzy Hash: c95727b2b35e72ec6b173645ca4b06554ebba54430ea9665a62df05c32573e92
                                              • Instruction Fuzzy Hash: 4141B575C2061576DB11EBB58C8A9CFBBB8BF44310F508956E908E3221FB34A295C7E6
                                              Function 00553671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0055466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00553697,?), ref: 0055468B
                                                • Part of subcall function 0055466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00553697,?), ref: 005546A4
                                              • lstrcmpiW.KERNEL32(?,?), ref: 005536B7
                                              • _wcscmp.LIBCMT ref: 005536D3
                                              • MoveFileW.KERNEL32(?,?), ref: 005536EB
                                              • _wcscat.LIBCMT ref: 00553733
                                              • SHFileOperationW.SHELL32(?), ref: 0055379F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                              • String ID: \*.*
                                              • API String ID: 1377345388-1173974218
                                              • Opcode ID: 3504ba4b70b5a26e9ca1177f6a7ecc977e9f7929227d88a58f3117e092f652c1
                                              • Instruction ID: 2a8d40076f35a5255746e83f32bc79cdaf220f275b6b9d008a8cd8378275fce1
                                              • Opcode Fuzzy Hash: 3504ba4b70b5a26e9ca1177f6a7ecc977e9f7929227d88a58f3117e092f652c1
                                              • Instruction Fuzzy Hash: C7418E71508345AAD752EF64D4559DFBBE8FF89384F00082FB88AC3251EA34D68DCB56
                                              Function 00577291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 005772AA
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00577351
                                              • IsMenu.USER32(?), ref: 00577369
                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005773B1
                                              • DrawMenuBar.USER32 ref: 005773C4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                              • String ID: 0
                                              • API String ID: 3866635326-4108050209
                                              • Opcode ID: cd2dfbca2bdd4deb94dfbef4ef75a8b452be5187fde0e59157bacef7c125487b
                                              • Instruction ID: ee786d271ed1f9d914a758bee9e04b31e47714629d36868eb8e6b454645c2395
                                              • Opcode Fuzzy Hash: cd2dfbca2bdd4deb94dfbef4ef75a8b452be5187fde0e59157bacef7c125487b
                                              • Instruction Fuzzy Hash: 7A411675A04209AFDB20DF50E884A9ABBF8FB09354F248929FD1997290D730AD54FF50
                                              Function 00570FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00570FD4
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00570FFE
                                              • FreeLibrary.KERNEL32(00000000), ref: 005710B5
                                                • Part of subcall function 00570FA5: RegCloseKey.ADVAPI32(?), ref: 0057101B
                                                • Part of subcall function 00570FA5: FreeLibrary.KERNEL32(?), ref: 0057106D
                                                • Part of subcall function 00570FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00571090
                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00571058
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                              • String ID:
                                              • API String ID: 395352322-0
                                              • Opcode ID: 01593381eeaddb7643b88419a3eee82c3e31d7d7ab6ed94249ce4ea6e30991ab
                                              • Instruction ID: 6f9f4055bab60042d24ac125409d259f4941bf693a31096856fba7730e556b02
                                              • Opcode Fuzzy Hash: 01593381eeaddb7643b88419a3eee82c3e31d7d7ab6ed94249ce4ea6e30991ab
                                              • Instruction Fuzzy Hash: 9031FE71911109BFDB15DF94EC899FEBBBCFF08300F104169E50AA2251D6745E89AB64
                                              Function 005762CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005762EC
                                              • GetWindowLongW.USER32(01795DE0,000000F0), ref: 0057631F
                                              • GetWindowLongW.USER32(01795DE0,000000F0), ref: 00576354
                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00576386
                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005763B0
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 005763C1
                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005763DB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: LongWindow$MessageSend
                                              • String ID:
                                              • API String ID: 2178440468-0
                                              • Opcode ID: a59d64b3601715f4de73d790bde6f221331d31401d32e0f3b13117f477e6e8d0
                                              • Instruction ID: 4469febe205b48fd9df2bfe9a6640463eab9bf5ef646744db1e85c452be29ff6
                                              • Opcode Fuzzy Hash: a59d64b3601715f4de73d790bde6f221331d31401d32e0f3b13117f477e6e8d0
                                              • Instruction Fuzzy Hash: 333114306406509FDB21DF19EC84F543BE1FB5A714F2986A4F5198F2B2CB72A884EB51
                                              Function 0054DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0054DB2E
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0054DB54
                                              • SysAllocString.OLEAUT32(00000000), ref: 0054DB57
                                              • SysAllocString.OLEAUT32(?), ref: 0054DB75
                                              • SysFreeString.OLEAUT32(?), ref: 0054DB7E
                                              • StringFromGUID2.COMBASE(?,?,00000028), ref: 0054DBA3
                                              • SysAllocString.OLEAUT32(?), ref: 0054DBB1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                              • String ID:
                                              • API String ID: 3761583154-0
                                              • Opcode ID: 28a0318d32dee4f69904a64a61509a529ac2839a76a9956a504ed3ce77cee18e
                                              • Instruction ID: 6a4ece503166fcfb9e92d735b7a503eca987dae859f7abb4dd26a35e5236262e
                                              • Opcode Fuzzy Hash: 28a0318d32dee4f69904a64a61509a529ac2839a76a9956a504ed3ce77cee18e
                                              • Instruction Fuzzy Hash: F6219236600219AFDF10DFA9DC88CFB7BACFB09364B018525F958DB291D6709C859B70
                                              Function 00566173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00567D8B: inet_addr.WS2_32(00000000), ref: 00567DB6
                                              • socket.WS2_32(00000002,00000001,00000006), ref: 005661C6
                                              • WSAGetLastError.WS2_32(00000000), ref: 005661D5
                                              • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 0056620E
                                              • connect.WSOCK32(00000000,?,00000010), ref: 00566217
                                              • WSAGetLastError.WS2_32 ref: 00566221
                                              • closesocket.WS2_32(00000000), ref: 0056624A
                                              • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00566263
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                              • String ID:
                                              • API String ID: 910771015-0
                                              • Opcode ID: c641501edf10255801e4151590280ef27663dc9eafff3ca4534e76ce67dbf000
                                              • Instruction ID: f3e59bf5af999c93b7373f431a7b14045a0de26301c8b9c670f87f65847d6548
                                              • Opcode Fuzzy Hash: c641501edf10255801e4151590280ef27663dc9eafff3ca4534e76ce67dbf000
                                              • Instruction Fuzzy Hash: 6A31A135600118ABDF10AF24DC89FBE7BADFB45754F044429F909A7291CB74AD48DBA2
                                              Function 0054F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp
                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                              • API String ID: 1038674560-2734436370
                                              • Opcode ID: 62823072db49efca0aa511453e318ec854673953d1fce105229ed8952c6cd5c9
                                              • Instruction ID: 4dfc7e055a218c8c3541237e1fe624176066711bf58f7882fe4788aa63b17001
                                              • Opcode Fuzzy Hash: 62823072db49efca0aa511453e318ec854673953d1fce105229ed8952c6cd5c9
                                              • Instruction Fuzzy Hash: 422149722051126AE320A63DAC06EFB7F98FF95348F114839F94696091EB549D82D3A5
                                              Function 005775CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004F1D73
                                                • Part of subcall function 004F1D35: GetStockObject.GDI32(00000011), ref: 004F1D87
                                                • Part of subcall function 004F1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 004F1D91
                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00577632
                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0057763F
                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0057764A
                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00577659
                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00577665
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$CreateObjectStockWindow
                                              • String ID: Msctls_Progress32
                                              • API String ID: 1025951953-3636473452
                                              • Opcode ID: 1094b0c7e5140d23d45004dd0bd2b33aec59f7f381fe639ad6ff1406dfd337c6
                                              • Instruction ID: 78b341319517e4304a6c49daecee0a94bf7dca7692413791b34da1d0f3809de2
                                              • Opcode Fuzzy Hash: 1094b0c7e5140d23d45004dd0bd2b33aec59f7f381fe639ad6ff1406dfd337c6
                                              • Instruction Fuzzy Hash: 601193B111011DBFEF158F64DC85EE77F6DFF08798F014115B608A2060CA72AC21EBA4
                                              Function 00519AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __init_pointers.LIBCMT ref: 00519AE6
                                                • Part of subcall function 00513187: RtlEncodePointer.NTDLL(00000000), ref: 0051318A
                                                • Part of subcall function 00513187: __initp_misc_winsig.LIBCMT ref: 005131A5
                                                • Part of subcall function 00513187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00519EA0
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00519EB4
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00519EC7
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00519EDA
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00519EED
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00519F00
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00519F13
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00519F26
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00519F39
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00519F4C
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00519F5F
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00519F72
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00519F85
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00519F98
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00519FAB
                                                • Part of subcall function 00513187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00519FBE
                                              • __mtinitlocks.LIBCMT ref: 00519AEB
                                              • __mtterm.LIBCMT ref: 00519AF4
                                                • Part of subcall function 00519B5C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00519C56
                                                • Part of subcall function 00519B5C: _free.LIBCMT ref: 00519C5D
                                                • Part of subcall function 00519B5C: RtlDeleteCriticalSection.NTDLL(02[), ref: 00519C7F
                                              • __calloc_crt.LIBCMT ref: 00519B19
                                              • __initptd.LIBCMT ref: 00519B3B
                                              • GetCurrentThreadId.KERNEL32 ref: 00519B42
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                              • String ID:
                                              • API String ID: 3567560977-0
                                              • Opcode ID: 45473f1259d9582ef9ff0a42e894009ed25ea75ce954f7489136bf7c963a801b
                                              • Instruction ID: 58f1f833e49cacd4330ec9972798cd30b3e92d746b0bfee47bad0bfcd394dcd0
                                              • Opcode Fuzzy Hash: 45473f1259d9582ef9ff0a42e894009ed25ea75ce954f7489136bf7c963a801b
                                              • Instruction Fuzzy Hash: 88F06D32A0D7126EF7347674BC2BACA3E90BF82730F200A19F464961D2EF2089C142A0
                                              Function 0057B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0057B644
                                              • _memset.LIBCMT ref: 0057B653
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005B6F20,005B6F64), ref: 0057B682
                                              • CloseHandle.KERNEL32 ref: 0057B694
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memset$CloseCreateHandleProcess
                                              • String ID: o[$do[
                                              • API String ID: 3277943733-2598502710
                                              • Opcode ID: fcf43e98f46a37a7ab9e310c68a977ddf82aa4c67a0aa7561ff3906fbd5d5cac
                                              • Instruction ID: 53a9c1736a903a6254965d7e04b70ba2893a24fb1d062995d8640cc2d9f029c2
                                              • Opcode Fuzzy Hash: fcf43e98f46a37a7ab9e310c68a977ddf82aa4c67a0aa7561ff3906fbd5d5cac
                                              • Instruction Fuzzy Hash: 73F05EB25403007AF3106B61BC0AFBB3E9CFB18395F004420FA0CE6196D7796C54E7A8
                                              Function 0051406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00513F85), ref: 00514085
                                              • GetProcAddress.KERNEL32(00000000), ref: 0051408C
                                              • RtlEncodePointer.NTDLL(00000000), ref: 00514097
                                              • RtlDecodePointer.NTDLL(00513F85), ref: 005140B2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                              • String ID: RoUninitialize$combase.dll
                                              • API String ID: 3489934621-2819208100
                                              • Opcode ID: 7b6f71f4b9ca061dfbc8c7a27a60b75788074337a75eb1a4f90ab3a42e4e419f
                                              • Instruction ID: 2bf0cc07877dcf8997d99849b14685489ed553bb3a029778d0ef3d2645c2272d
                                              • Opcode Fuzzy Hash: 7b6f71f4b9ca061dfbc8c7a27a60b75788074337a75eb1a4f90ab3a42e4e419f
                                              • Instruction Fuzzy Hash: 21E09274586310AFEB50AF65EC0DB453EA8BB24742F104524F505F50A0CBB6568CFB14
                                              Function 00566B03 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __WSAFDIsSet.WS2_32(00000000,?), ref: 00566C00
                                              • WSAGetLastError.WS2_32(00000000), ref: 00566C34
                                              • htons.WS2_32(?), ref: 00566CEA
                                              • inet_ntoa.WS2_32(?), ref: 00566CA7
                                                • Part of subcall function 0054A7E9: _strlen.LIBCMT ref: 0054A7F3
                                                • Part of subcall function 0054A7E9: _memmove.LIBCMT ref: 0054A815
                                              • _strlen.LIBCMT ref: 00566D44
                                              • _memmove.LIBCMT ref: 00566DAD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                              • String ID:
                                              • API String ID: 3619996494-0
                                              • Opcode ID: dd6e1263a1960880d6ede5b5e201b65f36b1215e00387e48969eb79e160410c2
                                              • Instruction ID: 9c7e491ec94619796b9bc792f9f2ced5c94de74b6e5c4269b0cbe564dad6237e
                                              • Opcode Fuzzy Hash: dd6e1263a1960880d6ede5b5e201b65f36b1215e00387e48969eb79e160410c2
                                              • Instruction Fuzzy Hash: 8481D071204204ABC714EB25DC86F7BBBA8FF84718F144A1DF6559B2E2DA74AD04CB92
                                              Function 005564B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memmove$__itow__swprintf
                                              • String ID:
                                              • API String ID: 3253778849-0
                                              • Opcode ID: 96805780c0106e568e9343b682c462643b7272fc15666bc796fe2e4b0ac6dc61
                                              • Instruction ID: b8296dbcfaa93cf755b277370815e169065c5b47cc25e55768251807fa486394
                                              • Opcode Fuzzy Hash: 96805780c0106e568e9343b682c462643b7272fc15666bc796fe2e4b0ac6dc61
                                              • Instruction Fuzzy Hash: 93618B3090028A9BDF01EF61CCA6EFE3BA9BF45308F44491AFD555B192DB78AC49CB54
                                              Function 005701E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                                • Part of subcall function 00570E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0056FDAD,?,?), ref: 00570E31
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005702BD
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005702FD
                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00570320
                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00570349
                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0057038C
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00570399
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                              • String ID:
                                              • API String ID: 4046560759-0
                                              • Opcode ID: 43d1e333d10d691c436d7c761d924ff96917ba5bbfdbf140a00f93f8a2b8ffcb
                                              • Instruction ID: 4cc0e04f236e6c5b81d60e0b9dc672c7ea6464edccd1cd2b2fafb726d5fb2d2d
                                              • Opcode Fuzzy Hash: 43d1e333d10d691c436d7c761d924ff96917ba5bbfdbf140a00f93f8a2b8ffcb
                                              • Instruction Fuzzy Hash: BB516931108205EFD714EF64D889EAEBBE8FF89314F04891DF5498B2A2DB31E945DB52
                                              Function 00575799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenu.USER32(?), ref: 005757FB
                                              • GetMenuItemCount.USER32(00000000), ref: 00575832
                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0057585A
                                              • GetMenuItemID.USER32(?,?), ref: 005758C9
                                              • GetSubMenu.USER32(?,?), ref: 005758D7
                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00575928
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Menu$Item$CountMessagePostString
                                              • String ID:
                                              • API String ID: 650687236-0
                                              • Opcode ID: e881db983a93b5e4aca3843cb0c21242a24debf43ceef0e94d3cb968b673f4cb
                                              • Instruction ID: e69c0321526e051322b78007f07cd6ddfa078b8e165a4e03acddfa10bf3f1b84
                                              • Opcode Fuzzy Hash: e881db983a93b5e4aca3843cb0c21242a24debf43ceef0e94d3cb968b673f4cb
                                              • Instruction Fuzzy Hash: 90515D71A00619EFCF11EF64D845AAEBBB4FF48310F108469E909AB351DB74AE41EB91
                                              Function 0054EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 0054EF06
                                              • VariantClear.OLEAUT32(00000013), ref: 0054EF78
                                              • VariantClear.OLEAUT32(00000000), ref: 0054EFD3
                                              • _memmove.LIBCMT ref: 0054EFFD
                                              • VariantClear.OLEAUT32(?), ref: 0054F04A
                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0054F078
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                              • String ID:
                                              • API String ID: 1101466143-0
                                              • Opcode ID: cf0046c5093bf3a092ed88c9eaaf9c83607f36166b4f3368276bb389f14eba0e
                                              • Instruction ID: 09216cd18ebb5922a032b7abe983bed74c21afebfb6952af1b8ad8080994876e
                                              • Opcode Fuzzy Hash: cf0046c5093bf3a092ed88c9eaaf9c83607f36166b4f3368276bb389f14eba0e
                                              • Instruction Fuzzy Hash: 2C516E75A00209EFDB14CF58D884AAABBB9FF8C314B158569ED59DB301E334E951CFA0
                                              Function 0055220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00552258
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005522A3
                                              • IsMenu.USER32(00000000), ref: 005522C3
                                              • CreatePopupMenu.USER32 ref: 005522F7
                                              • GetMenuItemCount.USER32(000000FF), ref: 00552355
                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00552386
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                              • String ID:
                                              • API String ID: 3311875123-0
                                              • Opcode ID: 2296735fb3c0f3fceed46f5a80707ab7df951c6add261c5f284587b23de13f7c
                                              • Instruction ID: ee7b56d9cdf334d697c70c3975c7a64f82221a304a98348a0b93834e1479c01c
                                              • Opcode Fuzzy Hash: 2296735fb3c0f3fceed46f5a80707ab7df951c6add261c5f284587b23de13f7c
                                              • Instruction Fuzzy Hash: B751CE3060020ADBDF21CF68D8A8BADBFF5FF56316F15492AEC15A7290D3749A48CB51
                                              Function 004F1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 004F179A
                                              • GetWindowRect.USER32(?,?), ref: 004F17FE
                                              • ScreenToClient.USER32(?,?), ref: 004F181B
                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004F182C
                                              • EndPaint.USER32(?,?), ref: 004F1876
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                              • String ID:
                                              • API String ID: 1827037458-0
                                              • Opcode ID: 0aa4d46ca1c3c0903070fcc2d73a8bc4019cb7aa7b73b3b0278e1df12671ad3d
                                              • Instruction ID: 0edc806347bbf6b28d5de2dfabd3ca5459a324b6f91181705de5325125d9ca03
                                              • Opcode Fuzzy Hash: 0aa4d46ca1c3c0903070fcc2d73a8bc4019cb7aa7b73b3b0278e1df12671ad3d
                                              • Instruction Fuzzy Hash: 25419030104204DFD711EF25DC84FBA7BE8FB56764F144629F698862B1D734A849EB62
                                              Function 0057B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(005B57B0,00000000,01795DE0,?,?,005B57B0,?,0057B5A8,?,?), ref: 0057B712
                                              • EnableWindow.USER32(00000000,00000000), ref: 0057B736
                                              • ShowWindow.USER32(005B57B0,00000000,01795DE0,?,?,005B57B0,?,0057B5A8,?,?), ref: 0057B796
                                              • ShowWindow.USER32(00000000,00000004,?,0057B5A8,?,?), ref: 0057B7A8
                                              • EnableWindow.USER32(00000000,00000001), ref: 0057B7CC
                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0057B7EF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$Show$Enable$MessageSend
                                              • String ID:
                                              • API String ID: 642888154-0
                                              • Opcode ID: ebd2d5569011e15fe7d48f07bbbb01eec2a6cbb38868ab140c99a2b1a4a1effe
                                              • Instruction ID: 0a1b798a496ed789c5475a73894632c0e136aca1dc69505532e4faebbe5cb738
                                              • Opcode Fuzzy Hash: ebd2d5569011e15fe7d48f07bbbb01eec2a6cbb38868ab140c99a2b1a4a1effe
                                              • Instruction Fuzzy Hash: 88418434600250AFEB29CF24E499B947FE1FF85310F1881B9F94D8F6A2C731A856EB51
                                              Function 0056709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,00564E41,?,?,00000000,00000001), ref: 005670AC
                                                • Part of subcall function 005639A0: GetWindowRect.USER32(?,?), ref: 005639B3
                                              • GetDesktopWindow.USER32 ref: 005670D6
                                              • GetWindowRect.USER32(00000000), ref: 005670DD
                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0056710F
                                                • Part of subcall function 00555244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005552BC
                                              • GetCursorPos.USER32(?), ref: 0056713B
                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00567199
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                              • String ID:
                                              • API String ID: 4137160315-0
                                              • Opcode ID: d82a8b6dae1e95577ede1f1bb4e685da2ecb0f4b70c4454078c6ac0722a95f8a
                                              • Instruction ID: d6825faddbf0ffc81c85fbba2ad7709bd6c61a90fc948fcf64ff85cbfcf2e0fc
                                              • Opcode Fuzzy Hash: d82a8b6dae1e95577ede1f1bb4e685da2ecb0f4b70c4454078c6ac0722a95f8a
                                              • Instruction Fuzzy Hash: 2431D27250930AABD720DF14D849B9BBBA9FF89314F00091AF59997191DA30EA49CB92
                                              Function 0055EB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F9837: __itow.LIBCMT ref: 004F9862
                                                • Part of subcall function 004F9837: __swprintf.LIBCMT ref: 004F98AC
                                                • Part of subcall function 0050FC86: _wcscpy.LIBCMT ref: 0050FCA9
                                              • _wcstok.LIBCMT ref: 0055EC94
                                              • _wcscpy.LIBCMT ref: 0055ED23
                                              • _memset.LIBCMT ref: 0055ED56
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                              • String ID: X
                                              • API String ID: 774024439-3081909835
                                              • Opcode ID: 50eab596edf5db96ba684193bf0e30e89a002963b3a286028e26791941a81318
                                              • Instruction ID: b130c2376a030ffb4928e3630f28876748863a588081ae5e1432eaa10e5edbef
                                              • Opcode Fuzzy Hash: 50eab596edf5db96ba684193bf0e30e89a002963b3a286028e26791941a81318
                                              • Instruction Fuzzy Hash: B1C1C4305083459FD718EF24C856E6ABBE4FF85314F00492EF9998B2A2DB74ED49CB46
                                              Function 00548879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 005480A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005480C0
                                                • Part of subcall function 005480A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005480CA
                                                • Part of subcall function 005480A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005480D9
                                                • Part of subcall function 005480A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 005480E0
                                                • Part of subcall function 005480A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005480F6
                                              • GetLengthSid.ADVAPI32(?,00000000,0054842F), ref: 005488CA
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 005488D6
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 005488DD
                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 005488F6
                                              • GetProcessHeap.KERNEL32(00000000,00000000,0054842F), ref: 0054890A
                                              • HeapFree.KERNEL32(00000000), ref: 00548911
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                              • String ID:
                                              • API String ID: 169236558-0
                                              • Opcode ID: 4831e28a1397ba665dc0d869f1d2218c7c08ee837ab8c33e3b21edf8dad9804b
                                              • Instruction ID: f63be600bcc04e099e5f4b0db40ba5fc1456d10e4e358353cb53020c1184eaa2
                                              • Opcode Fuzzy Hash: 4831e28a1397ba665dc0d869f1d2218c7c08ee837ab8c33e3b21edf8dad9804b
                                              • Instruction Fuzzy Hash: 1611AF31501609FFDB14DFA4DC09BFE7B68FB45319F504428F84997210CB329944EB60
                                              Function 0054B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 0054B7B5
                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0054B7C6
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0054B7CD
                                              • ReleaseDC.USER32(00000000,00000000), ref: 0054B7D5
                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0054B7EC
                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0054B7FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CapsDevice$Release
                                              • String ID:
                                              • API String ID: 1035833867-0
                                              • Opcode ID: 633d5b40774974126914e972ce51325ea92e0fcf56ef85aed55e79fb817199b4
                                              • Instruction ID: eb562a6fd69765e03b30116972e4c254d1c51e370ba352cc622f406e0d00f70e
                                              • Opcode Fuzzy Hash: 633d5b40774974126914e972ce51325ea92e0fcf56ef85aed55e79fb817199b4
                                              • Instruction Fuzzy Hash: C60184B5E00219BBEF109BA6AC49E5EBFB8FB58721F004075FA08A7291D6309C00DF90
                                              Function 00510162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00510193
                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 0051019B
                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 005101A6
                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 005101B1
                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 005101B9
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 005101C1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Virtual
                                              • String ID:
                                              • API String ID: 4278518827-0
                                              • Opcode ID: dc5cf73ce7c500f639cd5b062fc54b6901dfaca839545af1faad227ac40b1311
                                              • Instruction ID: c4cd54ac14a2c55843ac0fcebc394a6c3d4bc20bf1807f76279cc8cbc62f76d7
                                              • Opcode Fuzzy Hash: dc5cf73ce7c500f639cd5b062fc54b6901dfaca839545af1faad227ac40b1311
                                              • Instruction Fuzzy Hash: 04016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5
                                              Function 005553E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005553F9
                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0055540F
                                              • GetWindowThreadProcessId.USER32(?,?), ref: 0055541E
                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055542D
                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00555437
                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055543E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                              • String ID:
                                              • API String ID: 839392675-0
                                              • Opcode ID: bad60b5e4222be0b763bf99f772c44e0e61d6d0b2fc0ee6abdf2faae2358f5af
                                              • Instruction ID: f941897acf94b707ed777854e623b2384f02705f7b20fa21bb8390cacd62027c
                                              • Opcode Fuzzy Hash: bad60b5e4222be0b763bf99f772c44e0e61d6d0b2fc0ee6abdf2faae2358f5af
                                              • Instruction Fuzzy Hash: 3AF01231141558BBD7219B62EC0DEAB7A7CEBD6B12F000169F908D1051A7A11A45E7B5
                                              Function 00557230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,?), ref: 00557243
                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00557254
                                              • TerminateThread.KERNEL32(00000000,000001F6,?,00500EE4,?,?), ref: 00557261
                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00500EE4,?,?), ref: 0055726E
                                                • Part of subcall function 00556C35: CloseHandle.KERNEL32(00000000,?,0055727B,?,00500EE4,?,?), ref: 00556C3F
                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00557281
                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 00557288
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                              • String ID:
                                              • API String ID: 3495660284-0
                                              • Opcode ID: dfc6817861e734ce560f86725921b8aba2e06ee1769cb18a2aa5ab592b23960e
                                              • Instruction ID: cb47232d47fa7c8b25182bdb73261bc112b752a616c34991239034b640f24876
                                              • Opcode Fuzzy Hash: dfc6817861e734ce560f86725921b8aba2e06ee1769cb18a2aa5ab592b23960e
                                              • Instruction Fuzzy Hash: 84F09A3A144202EBD7115F24FC4C9DA3B29FF58302F400132F606910A2CB761888EB60
                                              Function 005685ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00568613
                                              • CharUpperBuffW.USER32(?,?), ref: 00568722
                                              • VariantClear.OLEAUT32(?), ref: 0056889A
                                                • Part of subcall function 00557562: VariantInit.OLEAUT32(00000000), ref: 005575A2
                                                • Part of subcall function 00557562: VariantCopy.OLEAUT32(00000000,?), ref: 005575AB
                                                • Part of subcall function 00557562: VariantClear.OLEAUT32(00000000), ref: 005575B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                              • API String ID: 4237274167-1221869570
                                              • Opcode ID: 73d1d7319f7da362c47a341bf8958651431f626162085cd3654e9332181e1f4e
                                              • Instruction ID: 3ea9493cde1a3daba5fe5a1e13d57657d5ea8dd82427def0700ed48a40c61254
                                              • Opcode Fuzzy Hash: 73d1d7319f7da362c47a341bf8958651431f626162085cd3654e9332181e1f4e
                                              • Instruction Fuzzy Hash: 4F9168706083059FCB10DF25C48496ABBE4FF89714F148A6EF99A8B361DB31E945CB92
                                              Function 00552A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0050FC86: _wcscpy.LIBCMT ref: 0050FCA9
                                              • _memset.LIBCMT ref: 00552B87
                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00552BB6
                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00552C69
                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00552C97
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                              • String ID: 0
                                              • API String ID: 4152858687-4108050209
                                              • Opcode ID: 8072fb203744c663773625e2f6673ba35b945498f178bfd32f80bc59fea64fdd
                                              • Instruction ID: 6c8d27216018f21497d76884bf82d50ff3305ad3972b05cdeb9d048e01355754
                                              • Opcode Fuzzy Hash: 8072fb203744c663773625e2f6673ba35b945498f178bfd32f80bc59fea64fdd
                                              • Instruction Fuzzy Hash: 1051CF71208301AAD7249F28D865A6F7FE8FF96321F040A2EFC95D6192DB70DD489B52
                                              Function 00503137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memmove$_free
                                              • String ID: 3cP$_P
                                              • API String ID: 2620147621-1684181656
                                              • Opcode ID: af6df9e5740217d5e678802fb16134ac88b2d2a5ab241dbbddcb4e75b08c9680
                                              • Instruction ID: f8ea53940ca1b9576a3744e42f0677ac86c251c568250dbac27a35d68943c54d
                                              • Opcode Fuzzy Hash: af6df9e5740217d5e678802fb16134ac88b2d2a5ab241dbbddcb4e75b08c9680
                                              • Instruction Fuzzy Hash: 78514B716043429FDB25CF28C485B6FBBE9BFC5314F44892DE9898B291EB31E945CB42
                                              Function 00506192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memset$_memmove
                                              • String ID: 3cP$ERCP
                                              • API String ID: 2532777613-2671526751
                                              • Opcode ID: 428286f2fa9ee04179e30c283e7526e414f98f91a4c75cf7364d293cdc6bd160
                                              • Instruction ID: a6f3d1cd42efd37c3bbf2342984acc16fa06df4de85e037acb095f7b2361d05b
                                              • Opcode Fuzzy Hash: 428286f2fa9ee04179e30c283e7526e414f98f91a4c75cf7364d293cdc6bd160
                                              • Instruction Fuzzy Hash: 08517E71900706DBDB24CF65C945BEEBFE4BF44314F20496EE54ADB291E770AA94CB80
                                              Function 0054D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0054D5D4
                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0054D60A
                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0054D61B
                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0054D69D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                              • String ID: DllGetClassObject
                                              • API String ID: 753597075-1075368562
                                              • Opcode ID: 2d78a504ea7cc2bec16ef4cff0ca0d6a8cc598a492df7d51911f1a7635b94dd1
                                              • Instruction ID: 4406fdc69daebf5615d0978ca938f473885028882402ed1b829e8b9541ae415f
                                              • Opcode Fuzzy Hash: 2d78a504ea7cc2bec16ef4cff0ca0d6a8cc598a492df7d51911f1a7635b94dd1
                                              • Instruction Fuzzy Hash: FC417CB1600204EFDB05DF64C888ADABFB9FF85318F1680A9AC099F205D7B1D944DBB0
                                              Function 00552753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 005527C0
                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005527DC
                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00552822
                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005B5890,00000000), ref: 0055286B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Menu$Delete$InfoItem_memset
                                              • String ID: 0
                                              • API String ID: 1173514356-4108050209
                                              • Opcode ID: 47ff87a9fc7b5e3a4c4d9ec71a41862ac3811e92600f137194b53c2ad2ff34b6
                                              • Instruction ID: 8e46f5babd7f15f08fafd32379640f8c5246bba19eade73c5323948e94e911f0
                                              • Opcode Fuzzy Hash: 47ff87a9fc7b5e3a4c4d9ec71a41862ac3811e92600f137194b53c2ad2ff34b6
                                              • Instruction Fuzzy Hash: 6441BF702043429FD720DF64D894B2ABFE8FF86315F04492EF9A597291D730E809CB52
                                              Function 0056D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0056D7C5
                                                • Part of subcall function 004F784B: _memmove.LIBCMT ref: 004F7899
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: BuffCharLower_memmove
                                              • String ID: cdecl$none$stdcall$winapi
                                              • API String ID: 3425801089-567219261
                                              • Opcode ID: 8fa30c0d86fd9d79a8b2985c5f2f99faa1ec8b7115e011a95d7c378aa5e265ba
                                              • Instruction ID: 34ef2c14608ee7bbc44b1bf00f98654eb103e9156594433d35186a6b3e7a3a0e
                                              • Opcode Fuzzy Hash: 8fa30c0d86fd9d79a8b2985c5f2f99faa1ec8b7115e011a95d7c378aa5e265ba
                                              • Instruction Fuzzy Hash: 8B310471A0461AABDF00EF64CC559FEBBB4FF45324F008A2AE825972C1CB71AD45CB90
                                              Function 00548E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                                • Part of subcall function 0054AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0054AABC
                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00548F14
                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00548F27
                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00548F57
                                                • Part of subcall function 004F7BCC: _memmove.LIBCMT ref: 004F7C06
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$_memmove$ClassName
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 365058703-1403004172
                                              • Opcode ID: 8ce92fdd35f0e58a9a1c85391a08579710965cab4a1f69f42a639c4780381552
                                              • Instruction ID: 3cc4126238b30dcc0afdd8eb88ba1a84012bdabbcdfa8895698d85e93ea7c298
                                              • Opcode Fuzzy Hash: 8ce92fdd35f0e58a9a1c85391a08579710965cab4a1f69f42a639c4780381552
                                              • Instruction Fuzzy Hash: AB210471A00109BEDB14ABB1DC89CFFBF69EF46328B10451AF525971E1DF3948499610
                                              Function 0056182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0056184C
                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00561872
                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005618A2
                                              • InternetCloseHandle.WININET(00000000), ref: 005618E9
                                                • Part of subcall function 00562483: GetLastError.KERNEL32(?,?,00561817,00000000,00000000,00000001), ref: 00562498
                                                • Part of subcall function 00562483: SetEvent.KERNEL32(?,?,00561817,00000000,00000000,00000001), ref: 005624AD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                              • String ID:
                                              • API String ID: 3113390036-3916222277
                                              • Opcode ID: a833ff91341372f565fe43b978e3fced8cb24e56334e531d59e17af2180cb2e4
                                              • Instruction ID: a38da739b7dd4795dda7e40b7900f7a60ffc14b02898365dcca7e33b0168ad0f
                                              • Opcode Fuzzy Hash: a833ff91341372f565fe43b978e3fced8cb24e56334e531d59e17af2180cb2e4
                                              • Instruction Fuzzy Hash: 9B21B0B1500608BFEB11DB64DC89EBB7BEDFB88745F14412AF40593140EA249D44ABA5
                                              Function 005763E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004F1D73
                                                • Part of subcall function 004F1D35: GetStockObject.GDI32(00000011), ref: 004F1D87
                                                • Part of subcall function 004F1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 004F1D91
                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00576461
                                              • LoadLibraryW.KERNEL32(?), ref: 00576468
                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0057647D
                                              • DestroyWindow.USER32(?), ref: 00576485
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                              • String ID: SysAnimate32
                                              • API String ID: 4146253029-1011021900
                                              • Opcode ID: d59497588518242da3e8b39de6186cf2e8b5ec07987892a247e91ddc8737ebf2
                                              • Instruction ID: 38831d0696c7ffef6386cb781fec06b3a636a28b3ca7a5b79f4e3d3370e7e44c
                                              • Opcode Fuzzy Hash: d59497588518242da3e8b39de6186cf2e8b5ec07987892a247e91ddc8737ebf2
                                              • Instruction Fuzzy Hash: F2215071100606AFEF108F64EC94EBA7BAAFB59764F108629F91893190D771DC51B760
                                              Function 00556D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(0000000C), ref: 00556DBC
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00556DEF
                                              • GetStdHandle.KERNEL32(0000000C), ref: 00556E01
                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00556E3B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CreateHandle$FilePipe
                                              • String ID: nul
                                              • API String ID: 4209266947-2873401336
                                              • Opcode ID: 6091ca1fd4edbf17fd383bbcdb4021473e8bb5fc2f4b6460bb8cc9cb9e34e08a
                                              • Instruction ID: 73a192cbaea601a9bd7db582ac9a1633c17fe4e11519d09674647d1d77cb7411
                                              • Opcode Fuzzy Hash: 6091ca1fd4edbf17fd383bbcdb4021473e8bb5fc2f4b6460bb8cc9cb9e34e08a
                                              • Instruction Fuzzy Hash: 0021B57460024AABDB209F29DC15A9A7FF8FF54722F604A1AFCA0D72D0D7709C58DB50
                                              Function 00556E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(000000F6), ref: 00556E89
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00556EBB
                                              • GetStdHandle.KERNEL32(000000F6), ref: 00556ECC
                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00556F06
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CreateHandle$FilePipe
                                              • String ID: nul
                                              • API String ID: 4209266947-2873401336
                                              • Opcode ID: a27c178099ccd23e2efae8ca72d9f1d0c03d3cd20013c78cfd2cb4ab92696464
                                              • Instruction ID: 04db1da055461cc09aa55192e2e90aa02f5d898e212b5c74639a78bbefad75b9
                                              • Opcode Fuzzy Hash: a27c178099ccd23e2efae8ca72d9f1d0c03d3cd20013c78cfd2cb4ab92696464
                                              • Instruction Fuzzy Hash: 1521C4795013459BDB209F69DC15AAB7BA8FF55721F600A1AFCA0D32D0D7709C59CB10
                                              Function 0055AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 0055AC54
                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0055ACA8
                                              • __swprintf.LIBCMT ref: 0055ACC1
                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0057F910), ref: 0055ACFF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ErrorMode$InformationVolume__swprintf
                                              • String ID: %lu
                                              • API String ID: 3164766367-685833217
                                              • Opcode ID: 7aa0aba0bee508d42e0ac1763fed062ed1644a58fe41476907d4ada9cdbd1f6e
                                              • Instruction ID: 067e6b7059cf4f953c3b54f1d0cdd79b241ab50fc6a18e398a91713e87f38331
                                              • Opcode Fuzzy Hash: 7aa0aba0bee508d42e0ac1763fed062ed1644a58fe41476907d4ada9cdbd1f6e
                                              • Instruction Fuzzy Hash: 28217130A0010DAFCB10DF65DD45EEE7BB8FF89314B0040A9F9099B251DA31EE45DB21
                                              Function 00551142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0054FCED,?,00550D40,?,00008000), ref: 0055115F
                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0054FCED,?,00550D40,?,00008000), ref: 00551184
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0054FCED,?,00550D40,?,00008000), ref: 0055118E
                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,0054FCED,?,00550D40,?,00008000), ref: 005511C1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CounterPerformanceQuerySleep
                                              • String ID: @U
                                              • API String ID: 2875609808-561287140
                                              • Opcode ID: 542a34ae8c423412e64a0a4da385ee9f2d99b036dd550f4fc0ab7c0bfb696655
                                              • Instruction ID: e8f704264f2dcac713f7474b5ad1dbde8e4d1d16600ff3e0d9bc813d62d02b5a
                                              • Opcode Fuzzy Hash: 542a34ae8c423412e64a0a4da385ee9f2d99b036dd550f4fc0ab7c0bfb696655
                                              • Instruction Fuzzy Hash: ED114C31C00919DBCF00DFA4D8587EEBF78FB19712F414496DE45B6240CA705598EBA9
                                              Function 00551AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 00551B19
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                                              • API String ID: 3964851224-769500911
                                              • Opcode ID: 1790381d8cfd04f048dab45a30eb93c3ee60e2ded609f3723cc0166c51976a4f
                                              • Instruction ID: 2e63b57c04cc4819715f74c52609df128124a1116b844b66c1efe44d306b80e8
                                              • Opcode Fuzzy Hash: 1790381d8cfd04f048dab45a30eb93c3ee60e2ded609f3723cc0166c51976a4f
                                              • Instruction Fuzzy Hash: 1A113C309001099FCF00EF64D8659FEBFB4FF66314F10846ADC5467291EB32594ACB54
                                              Function 0056EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0056EC07
                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0056EC37
                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0056ED6A
                                              • CloseHandle.KERNEL32(?), ref: 0056EDEB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                              • String ID:
                                              • API String ID: 2364364464-0
                                              • Opcode ID: c3f61edfa775bbf8c70d1fe1c953db8b5894f3ac63734aab522dcd12dec75d51
                                              • Instruction ID: 15a8c602c476b65c98a8ac186524e0e973b0494c48e95692c370983343cdac5e
                                              • Opcode Fuzzy Hash: c3f61edfa775bbf8c70d1fe1c953db8b5894f3ac63734aab522dcd12dec75d51
                                              • Instruction Fuzzy Hash: 12817F756003009FDB20EF29C886F2ABBE5AF44714F04881EFA999B292DB74AC44CB55
                                              Function 00570037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                                • Part of subcall function 00570E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0056FDAD,?,?), ref: 00570E31
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005700FD
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0057013C
                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00570183
                                              • RegCloseKey.ADVAPI32(?,?), ref: 005701AF
                                              • RegCloseKey.ADVAPI32(00000000), ref: 005701BC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                              • String ID:
                                              • API String ID: 3440857362-0
                                              • Opcode ID: a114bfd3eeb210b686d9e3a547a2eca82c935b068d4faf35e878f5c5e205c347
                                              • Instruction ID: 1ce6ca3612a6cdb635e459b39f83014b40f4ce0ed10142c647f1ecb13239f0e1
                                              • Opcode Fuzzy Hash: a114bfd3eeb210b686d9e3a547a2eca82c935b068d4faf35e878f5c5e205c347
                                              • Instruction Fuzzy Hash: C8515C71218204AFD704EF64DC85F6ABBE9FF84318F40891DF55987291DB35E904DB52
                                              Function 0056D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F9837: __itow.LIBCMT ref: 004F9862
                                                • Part of subcall function 004F9837: __swprintf.LIBCMT ref: 004F98AC
                                              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0056D927
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0056D9AA
                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0056D9C6
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0056DA07
                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0056DA21
                                                • Part of subcall function 004F5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00557896,?,?,00000000), ref: 004F5A2C
                                                • Part of subcall function 004F5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00557896,?,?,00000000,?,?), ref: 004F5A50
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                              • String ID:
                                              • API String ID: 327935632-0
                                              • Opcode ID: 61e1454f18d3a6c72aaf0e46bf97a99fedfc6c8b8b1a083acd7e63c99fe40869
                                              • Instruction ID: 89b393ff22007a2483b3eb38a5307df850e429f7be4ba620b407f2eefd7da99c
                                              • Opcode Fuzzy Hash: 61e1454f18d3a6c72aaf0e46bf97a99fedfc6c8b8b1a083acd7e63c99fe40869
                                              • Instruction Fuzzy Hash: 03513775E04609DFCB00EFA8C484DADBBB4FF19314B15846AEA19AB312D735AD45CFA0
                                              Function 0055E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0055E61F
                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0055E648
                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0055E687
                                                • Part of subcall function 004F9837: __itow.LIBCMT ref: 004F9862
                                                • Part of subcall function 004F9837: __swprintf.LIBCMT ref: 004F98AC
                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0055E6AC
                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0055E6B4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                              • String ID:
                                              • API String ID: 1389676194-0
                                              • Opcode ID: f4f0550946eb676195e9e9f046a472059dee7f2c0aadd427ecb4ad74dbc513ec
                                              • Instruction ID: 651e34bbb6cddf312a374f225a9ce91a7a588b611e642bddbdc06248d4f1a0eb
                                              • Opcode Fuzzy Hash: f4f0550946eb676195e9e9f046a472059dee7f2c0aadd427ecb4ad74dbc513ec
                                              • Instruction Fuzzy Hash: B4517A35A00109DFCB00EF65C885AAEBBF5FF09354B1480AAE909AB362CB35ED44DF50
                                              Function 0057A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5b2def4f95bcdcfb543754a759799be1b832301af00641e83258f15bb44e272b
                                              • Instruction ID: 8c097a1317aa21078b6e866fae44b445eab2ba2b19e6e096b918f8c4f066c3fb
                                              • Opcode Fuzzy Hash: 5b2def4f95bcdcfb543754a759799be1b832301af00641e83258f15bb44e272b
                                              • Instruction Fuzzy Hash: B941BE35904104AFE724DB28EC48FAEBFA4FB89310F548665F81EA72E1D730AD45FA51
                                              Function 004F2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32(?), ref: 004F2357
                                              • ScreenToClient.USER32(005B57B0,?), ref: 004F2374
                                              • GetAsyncKeyState.USER32(00000001), ref: 004F2399
                                              • GetAsyncKeyState.USER32(00000002), ref: 004F23A7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AsyncState$ClientCursorScreen
                                              • String ID:
                                              • API String ID: 4210589936-0
                                              • Opcode ID: cc236d423f10c389a3a693d9c4d76268739a2c63128400172cb23775f0b9c415
                                              • Instruction ID: f07a2aa16be54088aab937e3ffd72c10c4b44e382c7b5095af473efc138f7e52
                                              • Opcode Fuzzy Hash: cc236d423f10c389a3a693d9c4d76268739a2c63128400172cb23775f0b9c415
                                              • Instruction Fuzzy Hash: 82418175604119FBDF199F68D848AEEBF74FF05360F20431AF928922D0CB74A994EB91
                                              Function 005463AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005463E7
                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 00546433
                                              • TranslateMessage.USER32(?), ref: 0054645C
                                              • DispatchMessageW.USER32(?), ref: 00546466
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00546475
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Message$PeekTranslate$AcceleratorDispatch
                                              • String ID:
                                              • API String ID: 2108273632-0
                                              • Opcode ID: 6c3b987fe116b806130fe96f682d4711a26b76bd39ae27447c69d38a5a529433
                                              • Instruction ID: edfe070e49bf5326912ebcb30907005eaa21e5132ea7d31dc51f391e33f1e17b
                                              • Opcode Fuzzy Hash: 6c3b987fe116b806130fe96f682d4711a26b76bd39ae27447c69d38a5a529433
                                              • Instruction Fuzzy Hash: A531CB716006469FDF64CF74DC84BF67FACBB12348F140665E415C3161E725A88DE762
                                              Function 00548A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 00548A30
                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00548ADA
                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00548AE2
                                              • PostMessageW.USER32(?,00000202,00000000), ref: 00548AF0
                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00548AF8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessagePostSleep$RectWindow
                                              • String ID:
                                              • API String ID: 3382505437-0
                                              • Opcode ID: e33f0824e0131bf27f552973285ace302f1279d1f3badc7d849cb20fef159418
                                              • Instruction ID: 545041586122757906d87fdcf5e9b867d789686e1459695316911859c4cadce0
                                              • Opcode Fuzzy Hash: e33f0824e0131bf27f552973285ace302f1279d1f3badc7d849cb20fef159418
                                              • Instruction Fuzzy Hash: D531B171500219EFDB14CF69D94CAEE3BB5FB14329F104629F925EA1D0C7B09954EB90
                                              Function 0054B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(?), ref: 0054B204
                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0054B221
                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0054B259
                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0054B27F
                                              • _wcsstr.LIBCMT ref: 0054B289
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                              • String ID:
                                              • API String ID: 3902887630-0
                                              • Opcode ID: 8a6e9f71afd039abf79e158bc1a3c2f08fd51c9e30bde72728a5372db80f4cc2
                                              • Instruction ID: 17845226a4ba8d82ca91cde47b15b2e1a4e26fd199dd72a776ff44db50a6983c
                                              • Opcode Fuzzy Hash: 8a6e9f71afd039abf79e158bc1a3c2f08fd51c9e30bde72728a5372db80f4cc2
                                              • Instruction Fuzzy Hash: 9421F5752082057BFB159B75AC49EBF7F9CFF89720F004129F808DA1A1EBA1DC80A360
                                              Function 0057B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F2612: GetWindowLongW.USER32(?,000000EB), ref: 004F2623
                                              • GetWindowLongW.USER32(?,000000F0), ref: 0057B192
                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0057B1B7
                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0057B1CF
                                              • GetSystemMetrics.USER32(00000004), ref: 0057B1F8
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00560E90,00000000), ref: 0057B216
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$Long$MetricsSystem
                                              • String ID:
                                              • API String ID: 2294984445-0
                                              • Opcode ID: 860fb590bd278b67b38f53a8558146e7c2bd411722c4495401769dbe6630c409
                                              • Instruction ID: 6933b04540d5f4dad5f22c5d4833d3262c7b804ca2b9089a17a0831f12e185f7
                                              • Opcode Fuzzy Hash: 860fb590bd278b67b38f53a8558146e7c2bd411722c4495401769dbe6630c409
                                              • Instruction Fuzzy Hash: 5E219471610665AFDB149F39EC14B6A3BA4FB15361F218728F93AD71E0E7309850FB90
                                              Function 00549307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00549320
                                                • Part of subcall function 004F7BCC: _memmove.LIBCMT ref: 004F7C06
                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00549352
                                              • __itow.LIBCMT ref: 0054936A
                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00549392
                                              • __itow.LIBCMT ref: 005493A3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$__itow$_memmove
                                              • String ID:
                                              • API String ID: 2983881199-0
                                              • Opcode ID: add695b2eeda95c57000d9d87185630d05e7fb2c7d090d36883193da90fb21e2
                                              • Instruction ID: 1a69b7eb3404102d5854edd583d480e3f425495627e73be0b35952f739cc7b77
                                              • Opcode Fuzzy Hash: add695b2eeda95c57000d9d87185630d05e7fb2c7d090d36883193da90fb21e2
                                              • Instruction Fuzzy Hash: 20210731700208ABEB10DE619C8AEEF3FA8FB8A718F044429FA04D71D0D6B08D459792
                                              Function 00565A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindow.USER32(00000000), ref: 00565A6E
                                              • GetForegroundWindow.USER32 ref: 00565A85
                                              • GetDC.USER32(00000000), ref: 00565AC1
                                              • GetPixel.GDI32(00000000,?,00000003), ref: 00565ACD
                                              • ReleaseDC.USER32(00000000,00000003), ref: 00565B08
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$ForegroundPixelRelease
                                              • String ID:
                                              • API String ID: 4156661090-0
                                              • Opcode ID: b10965204b51d7c5aa0b5648de5cbdf600c3e1c3ff7b64873a5e9c7697f20219
                                              • Instruction ID: 3d32860461baaff24c4f866db1db7cb33ab8fbca3ef2d69c3d6607c255e27bf5
                                              • Opcode Fuzzy Hash: b10965204b51d7c5aa0b5648de5cbdf600c3e1c3ff7b64873a5e9c7697f20219
                                              • Instruction Fuzzy Hash: F221A135A00104AFD704EFA5DC88AAABBE5FF58311F148479F80AD7362DA30AD44DB90
                                              Function 004F12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004F134D
                                              • SelectObject.GDI32(?,00000000), ref: 004F135C
                                              • BeginPath.GDI32(?), ref: 004F1373
                                              • SelectObject.GDI32(?,00000000), ref: 004F139C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ObjectSelect$BeginCreatePath
                                              • String ID:
                                              • API String ID: 3225163088-0
                                              • Opcode ID: 0cc0acaf14f00cffad43076d346e25250eb25722b9484474587bbe864864ad97
                                              • Instruction ID: b0dd870cea5155d8163222e54ba52d98bd24b72e7e5a31fb073c77905ef5c9a7
                                              • Opcode Fuzzy Hash: 0cc0acaf14f00cffad43076d346e25250eb25722b9484474587bbe864864ad97
                                              • Instruction Fuzzy Hash: DF217431800608DFEB559F25EC0876A7BE8FB20321F24431BF915A62B0E375A899FF55
                                              Function 00554A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThreadId.KERNEL32 ref: 00554ABA
                                              • __beginthreadex.LIBCMT ref: 00554AD8
                                              • MessageBoxW.USER32(?,?,?,?), ref: 00554AED
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00554B03
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00554B0A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                              • String ID:
                                              • API String ID: 3824534824-0
                                              • Opcode ID: ed2b2d56ac8f4b41cc18e163e51ece2ec473c717f2ebc969e768e1d6c1314d85
                                              • Instruction ID: 1bc855f58d7e2d86b611e5f1ea942fefcbba3aea9698888469fba276e6e736b8
                                              • Opcode Fuzzy Hash: ed2b2d56ac8f4b41cc18e163e51ece2ec473c717f2ebc969e768e1d6c1314d85
                                              • Instruction Fuzzy Hash: C6110876905204BBCB008FA8EC08B9B7FACFB55325F14436AFC18D3250D671D9889BA0
                                              Function 00548202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0054821E
                                              • GetLastError.KERNEL32(?,00547CE2,?,?,?), ref: 00548228
                                              • GetProcessHeap.KERNEL32(00000008,?,?,00547CE2,?,?,?), ref: 00548237
                                              • RtlAllocateHeap.NTDLL(00000000,?,00547CE2), ref: 0054823E
                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00548255
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                              • String ID:
                                              • API String ID: 883493501-0
                                              • Opcode ID: 3b0252e5150005329c0951e4fb5fb15a3ac1eef077778ae8752a3c3dbd5eef53
                                              • Instruction ID: 7e9052b8d987735aa325b6f894a150215b4207cb027a9a2352277dca93132e3b
                                              • Opcode Fuzzy Hash: 3b0252e5150005329c0951e4fb5fb15a3ac1eef077778ae8752a3c3dbd5eef53
                                              • Instruction Fuzzy Hash: 9D014B75208204AFDB208FA5EC48DBB7FADFF9A754B500429F809D3220DA718C44EB60
                                              Function 0054710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CLSIDFromProgID.COMBASE ref: 00547127
                                              • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00547142
                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00547044,80070057,?,?), ref: 00547150
                                              • CoTaskMemFree.COMBASE(00000000), ref: 00547160
                                              • CLSIDFromString.COMBASE(?,?), ref: 0054716C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                              • String ID:
                                              • API String ID: 3897988419-0
                                              • Opcode ID: 0c228b301ac368cd5780fabee78c69f8e07ea1b14e5a00366ac4b2bc9ee013e7
                                              • Instruction ID: c0e73acd14c84aef6946b835b77ac2ce5246fee5e681955203ee59b9e24dd4ea
                                              • Opcode Fuzzy Hash: 0c228b301ac368cd5780fabee78c69f8e07ea1b14e5a00366ac4b2bc9ee013e7
                                              • Instruction Fuzzy Hash: F2017C72605208ABDB118F64EC44AAE7FADFF48795F1410A4FD09D2220D731DD80EBA0
                                              Function 00555244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00555260
                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0055526E
                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00555276
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00555280
                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005552BC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                              • String ID:
                                              • API String ID: 2833360925-0
                                              • Opcode ID: 63fa7a072b577a6791ecba47807f73888130a1ee8931583b1d5fb4e594b2d625
                                              • Instruction ID: 6c557c20ff73e3e67881d19c28c24a6408c2933eb5f0a1b455d4428672368631
                                              • Opcode Fuzzy Hash: 63fa7a072b577a6791ecba47807f73888130a1ee8931583b1d5fb4e594b2d625
                                              • Instruction Fuzzy Hash: F8015735D01A29DBCF00EFE4E868AEDBB78BF19322F400456E945F2141DB305598EBA1
                                              Function 0054810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00548121
                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0054812B
                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0054813A
                                              • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00548141
                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00548157
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: HeapInformationToken$AllocateErrorLastProcess
                                              • String ID:
                                              • API String ID: 47921759-0
                                              • Opcode ID: 5ec1602de11917741e0b855dcf6f917bd908815564a29df96b020a273218645e
                                              • Instruction ID: ea8497fae8f317bbf71295ed625d232e0103a8a175d4dd81db2929f621cb62c8
                                              • Opcode Fuzzy Hash: 5ec1602de11917741e0b855dcf6f917bd908815564a29df96b020a273218645e
                                              • Instruction Fuzzy Hash: 13F04F71200304AFEB114FA5EC88FBB3FACFF49758F000026F949D7150CA619985EB60
                                              Function 0054C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003E9), ref: 0054C1F7
                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0054C20E
                                              • MessageBeep.USER32(00000000), ref: 0054C226
                                              • KillTimer.USER32(?,0000040A), ref: 0054C242
                                              • EndDialog.USER32(?,00000001), ref: 0054C25C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                              • String ID:
                                              • API String ID: 3741023627-0
                                              • Opcode ID: d088fdc81ce71d31c8ac8b0473c1210f0377999890c91fa81a3748a67b503abe
                                              • Instruction ID: eec43cc7bb118946dcd807b527ca0ec9356223022916dcc6b50e3f156a999ba8
                                              • Opcode Fuzzy Hash: d088fdc81ce71d31c8ac8b0473c1210f0377999890c91fa81a3748a67b503abe
                                              • Instruction Fuzzy Hash: 7A01DB3450430497EB649B50ED4EFE67F78FF10B09F000669F586914E0D7F46988AB50
                                              Function 004F13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              • EndPath.GDI32(?), ref: 004F13BF
                                              • StrokeAndFillPath.GDI32(?,?,0052B888,00000000,?), ref: 004F13DB
                                              • SelectObject.GDI32(?,00000000), ref: 004F13EE
                                              • DeleteObject.GDI32 ref: 004F1401
                                              • StrokePath.GDI32(?), ref: 004F141C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                              • String ID:
                                              • API String ID: 2625713937-0
                                              • Opcode ID: f989d5e1309434ae34313288c82b6791098e6fec3780191eeb3abfa611356c9a
                                              • Instruction ID: 6daea42139d94d9414bc6bfc718e0eee2496b1eac43975c25d744d790595e25c
                                              • Opcode Fuzzy Hash: f989d5e1309434ae34313288c82b6791098e6fec3780191eeb3abfa611356c9a
                                              • Instruction Fuzzy Hash: 3EF01D30004608DBDB569F26EC4C7693BA4A720326F188325F52E981F1D734559DFF14
                                              Function 00548992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0054899D
                                              • CloseHandle.KERNEL32(?), ref: 005489B2
                                              • CloseHandle.KERNEL32(?), ref: 005489BA
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 005489C3
                                              • HeapFree.KERNEL32(00000000), ref: 005489CA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                              • String ID:
                                              • API String ID: 3751786701-0
                                              • Opcode ID: c21f1e0713b6bd54ecc8f937808361eb23fe6dce04d4bb6ee5af748169e4aa44
                                              • Instruction ID: 0499956eab169ffb1b97afc884df3de5b6378731fa68b2ea8f1c4d774007a1c8
                                              • Opcode Fuzzy Hash: c21f1e0713b6bd54ecc8f937808361eb23fe6dce04d4bb6ee5af748169e4aa44
                                              • Instruction Fuzzy Hash: 80E05976104505FFD6019FF6FC0C955BB69FBA9762B504631F21D81470CB3254A5FB60
                                              Function 00502CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00510DB6: std::exception::exception.LIBCMT ref: 00510DEC
                                                • Part of subcall function 00510DB6: __CxxThrowException@8.LIBCMT ref: 00510E01
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                                • Part of subcall function 004F7A51: _memmove.LIBCMT ref: 004F7AAB
                                              • __swprintf.LIBCMT ref: 00502ECD
                                              Strings
                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00502D66
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                              • API String ID: 1943609520-557222456
                                              • Opcode ID: 2d7f4ee5a8316524d978a282f787dcaa0ccd13a92272c4341f0c0f64a7e51c67
                                              • Instruction ID: 2efa4e5cbae25f7cfd23d293465706b2f5b4c9223b852e0ecdff93f693f33a0f
                                              • Opcode Fuzzy Hash: 2d7f4ee5a8316524d978a282f787dcaa0ccd13a92272c4341f0c0f64a7e51c67
                                              • Instruction Fuzzy Hash: CA917C71108606AFDB14EF24C899C7FBBA8FF85314F00491EF5469B2A1EA74ED44CB56
                                              Function 0055B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F4743,?,?,004F37AE,?), ref: 004F4770
                                              • CoInitialize.OLE32(00000000), ref: 0055B9BB
                                              • CoCreateInstance.COMBASE(00582D6C,00000000,00000001,00582BDC,?), ref: 0055B9D4
                                              • CoUninitialize.COMBASE ref: 0055B9F1
                                                • Part of subcall function 004F9837: __itow.LIBCMT ref: 004F9862
                                                • Part of subcall function 004F9837: __swprintf.LIBCMT ref: 004F98AC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                              • String ID: .lnk
                                              • API String ID: 2126378814-24824748
                                              • Opcode ID: d487c84ff4bf5e8d3094a713d2600cb67a17bbe9b1b9731285eba7705d81b166
                                              • Instruction ID: 2deac14292b58b1630412a53faff3905bdab2b9e9af8141331eeddc2584f4536
                                              • Opcode Fuzzy Hash: d487c84ff4bf5e8d3094a713d2600cb67a17bbe9b1b9731285eba7705d81b166
                                              • Instruction Fuzzy Hash: B4A157746043059FDB00EF15C494E2ABBE5FF89324F04894AF9999B3A1CB31ED49CB91
                                              Function 0054B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OleSetContainedObject.OLE32(?,00000001), ref: 0054B4BE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ContainedObject
                                              • String ID: AutoIt3GUI$Container$%X
                                              • API String ID: 3565006973-2547061136
                                              • Opcode ID: 31401045a9bb1f00cae80cc3f4f2bafedf8e3a757a385f751c453cc6bb9c6bf8
                                              • Instruction ID: 558e4df864098ca199aff7d27457b353e2f29803952b12315f47efb173b61d3b
                                              • Opcode Fuzzy Hash: 31401045a9bb1f00cae80cc3f4f2bafedf8e3a757a385f751c453cc6bb9c6bf8
                                              • Instruction Fuzzy Hash: A5913B70600605AFEB14DF64C884BAABBF5FF49714F24896DF94ACB291EB71E841CB50
                                              Function 0051501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                              Download Yara Rule
                                              APIs
                                              • __startOneArgErrorHandling.LIBCMT ref: 005150AD
                                                • Part of subcall function 005200F0: __87except.LIBCMT ref: 0052012B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ErrorHandling__87except__start
                                              • String ID: pow
                                              • API String ID: 2905807303-2276729525
                                              • Opcode ID: 02caa17b63db0b3c7803326618b693a7bee0f743243a7c17c80efe2800bbf769
                                              • Instruction ID: c908215c4f009e805181d45f5d71b19d5cb7841645e88f8a75d5bf2e2376c8a6
                                              • Opcode Fuzzy Hash: 02caa17b63db0b3c7803326618b693a7bee0f743243a7c17c80efe2800bbf769
                                              • Instruction Fuzzy Hash: 88517B2090A502D6EB117764DC493BE2F94BFD6300F309D59E4D5862EAFE348DD8D682
                                              Function 00538584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID: 3cP$_P
                                              • API String ID: 4104443479-1684181656
                                              • Opcode ID: 83a2f7ccd9eb5a084988ae8c0b9ccc5671cd26ccdf2f52e783f5e58c42914f1f
                                              • Instruction ID: 4a1ddfe0c246a2366a7cc249a2de7775907bb04c725e68eff6022ba2025b4253
                                              • Opcode Fuzzy Hash: 83a2f7ccd9eb5a084988ae8c0b9ccc5671cd26ccdf2f52e783f5e58c42914f1f
                                              • Instruction Fuzzy Hash: EF513EB09006199FCF65CF68C885ABEBBF1FF44304F14852AE85AD7250EB31A965CF51
                                              Function 005497F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 005514BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00549296,?,?,00000034,00000800,?,00000034), ref: 005514E6
                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0054983F
                                                • Part of subcall function 00551487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005492C5,?,?,00000800,?,00001073,00000000,?,?), ref: 005514B1
                                                • Part of subcall function 005513DE: GetWindowThreadProcessId.USER32(?,?), ref: 00551409
                                                • Part of subcall function 005513DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0054925A,00000034,?,?,00001004,00000000,00000000), ref: 00551419
                                                • Part of subcall function 005513DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0054925A,00000034,?,?,00001004,00000000,00000000), ref: 0055142F
                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005498AC
                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005498F9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                              • String ID: @
                                              • API String ID: 4150878124-2766056989
                                              • Opcode ID: 70894a366a8cf0cdebf66a15def9defc90067b71c44cd23cc42d7ecdbc484988
                                              • Instruction ID: 4f4b541be1d1cb229a4b193d81bd9d2d8c8f5f06270a0acef36897b2f87b67e3
                                              • Opcode Fuzzy Hash: 70894a366a8cf0cdebf66a15def9defc90067b71c44cd23cc42d7ecdbc484988
                                              • Instruction Fuzzy Hash: 92414F76900119BEDF10DFA4CD56ADEBFB8FB49700F004159F945B7181DA716E89CBA0
                                              Function 00577946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0057F910,00000000,?,?,?,?), ref: 005779DF
                                              • GetWindowLongW.USER32 ref: 005779FC
                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00577A0C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$Long
                                              • String ID: SysTreeView32
                                              • API String ID: 847901565-1698111956
                                              • Opcode ID: 8fe6056744bf6c6f05a24cd19fde7b71d570c4304a33fde939612bb69f7f18df
                                              • Instruction ID: d696e6b522c037282ac5c6ca8412a3041076120863f2b09009302c0f4eb417da
                                              • Opcode Fuzzy Hash: 8fe6056744bf6c6f05a24cd19fde7b71d570c4304a33fde939612bb69f7f18df
                                              • Instruction Fuzzy Hash: C531C33120520AAFDB118E38EC45BEA7BA9FB49324F208725F979D31E0D731ED51AB50
                                              Function 005773D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00577461
                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00577475
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00577499
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window
                                              • String ID: SysMonthCal32
                                              • API String ID: 2326795674-1439706946
                                              • Opcode ID: b1cb47e882f66ba24a11db39c1d66831f05ba92d74d6f57fa17320fc1e1d4bcc
                                              • Instruction ID: 7d6c3322973cb94bd8f17cd3c6326085cf4659439879ea729bb739aae2720c23
                                              • Opcode Fuzzy Hash: b1cb47e882f66ba24a11db39c1d66831f05ba92d74d6f57fa17320fc1e1d4bcc
                                              • Instruction Fuzzy Hash: 9B21A03260021DABDF118E54EC46FEA3F6AFB4C724F114214FE196B190DA75A894ABA0
                                              Function 00576CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00576D3B
                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00576D4B
                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00576D70
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$MoveWindow
                                              • String ID: Listbox
                                              • API String ID: 3315199576-2633736733
                                              • Opcode ID: dea1e300b608ca7f98926027f83272064d03324449484c450d15c2022a3f9d8a
                                              • Instruction ID: 812acfcd9b2cafa273d23c4391656c269db39b49c0635428e1eabaed46b60549
                                              • Opcode Fuzzy Hash: dea1e300b608ca7f98926027f83272064d03324449484c450d15c2022a3f9d8a
                                              • Instruction Fuzzy Hash: 02218332610118BFDF268F54EC45FBB3B7AFB89750F01C124F9499B1A0C6719C51ABA0
                                              Function 005639E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              • __snwprintf.LIBCMT ref: 00563A66
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __snwprintf_memmove
                                              • String ID: , $$AUTOITCALLVARIABLE%d$%X
                                              • API String ID: 3506404897-3039241582
                                              • Opcode ID: 820434a88b02e54682c2f475f5ccb3c699d7dd4ecddb0846d90e4148074724e0
                                              • Instruction ID: 216ee1f4a8b35adc47d136e95fcd58aaa67f29fd1816772d93f2858fb0a5803b
                                              • Opcode Fuzzy Hash: 820434a88b02e54682c2f475f5ccb3c699d7dd4ecddb0846d90e4148074724e0
                                              • Instruction Fuzzy Hash: E9218131A0011DAECF10EFA5CC92ABE7BB5BF45304F404459E545AB182DB34EA45DB65
                                              Function 0057770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00577772
                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00577787
                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00577794
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: msctls_trackbar32
                                              • API String ID: 3850602802-1010561917
                                              • Opcode ID: d207690bd88761833122c9331f2666e91193452cbb0afc614540105169a75929
                                              • Instruction ID: 4674167c000e08ff462d2cf9cbb416b9cbc08fecca07ba6618e78624eb7aef84
                                              • Opcode Fuzzy Hash: d207690bd88761833122c9331f2666e91193452cbb0afc614540105169a75929
                                              • Instruction Fuzzy Hash: CE110472204208BAEB145F65EC05FAB3B68FF88B54F018118F64596090D671A811EB20
                                              Function 00516B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __calloc_crt
                                              • String ID: Z$@B[
                                              • API String ID: 3494438863-1576950042
                                              • Opcode ID: 598cd61153e38761116d657d6aee0ca3e3211e59e3c426efb9ee2d550d488781
                                              • Instruction ID: fe3d4542ef6f4b372a2cc5dfe4a13f037027ea6d94c087efe33e5019b0e6dd87
                                              • Opcode Fuzzy Hash: 598cd61153e38761116d657d6aee0ca3e3211e59e3c426efb9ee2d550d488781
                                              • Instruction Fuzzy Hash: B9F0447920D6128BFBAD9F54BC66BE66F94F751730B500916E200CE190FB70A8C59684
                                              Function 004F4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,004F4AD0), ref: 004F4B45
                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004F4B57
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                              • API String ID: 2574300362-192647395
                                              • Opcode ID: 7950037de167f07395bc1f057ff168274f73abeab02af3d2781f5b512a57474c
                                              • Instruction ID: 862180abbf15aeaf083d4d611b19a02a15b7b9f541edaf55c1b3febe2cb43307
                                              • Opcode Fuzzy Hash: 7950037de167f07395bc1f057ff168274f73abeab02af3d2781f5b512a57474c
                                              • Instruction Fuzzy Hash: 78D0E234A10716CFD720DB32E828B177AE4AF55391B11C87A948AD6250EA74E880EB68
                                              Function 004F4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,004F4BD0,?,004F4DEF,?,005B52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004F4C11
                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004F4C23
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                              • API String ID: 2574300362-3689287502
                                              • Opcode ID: eaeba697cfdacfc60cea52c7e625ba3b39db4ed2363470c34483cec123ec1820
                                              • Instruction ID: 630cf87ec7bd8f25a464d523110fe50c1e19f970e0147ac42bb30a2fbc080d48
                                              • Opcode Fuzzy Hash: eaeba697cfdacfc60cea52c7e625ba3b39db4ed2363470c34483cec123ec1820
                                              • Instruction Fuzzy Hash: 2BD0EC30511712CFD7209B71E90861BBAD5EF19351B51883A9589D6650EAB4D480DB50
                                              Function 004F4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,004F4B83,?), ref: 004F4C44
                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004F4C56
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                              • API String ID: 2574300362-1355242751
                                              • Opcode ID: 6b96e45e90c8a430c65004d86fd8d68f26c919ba56fe57c4e3eea653744b3230
                                              • Instruction ID: c5b6cea83327ddb7f13f875c680566755364c9e04644499edf3f996b99e6d0d5
                                              • Opcode Fuzzy Hash: 6b96e45e90c8a430c65004d86fd8d68f26c919ba56fe57c4e3eea653744b3230
                                              • Instruction Fuzzy Hash: D6D01730910713CFD720DF31E90861B7BE5AF15351F52C83A969AD6260FA74D8C0EB60
                                              Function 00570DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00571039), ref: 00570DF5
                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00570E07
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                              • API String ID: 2574300362-4033151799
                                              • Opcode ID: c9082ce6e855dbb0dcb1187847fe43cafcb6ba53e4c2f7046117913c69d116a4
                                              • Instruction ID: 8ef36115e9647dea07a0908f1a76602fccc5b26a5fd87f12a9ab543f181abebf
                                              • Opcode Fuzzy Hash: c9082ce6e855dbb0dcb1187847fe43cafcb6ba53e4c2f7046117913c69d116a4
                                              • Instruction Fuzzy Hash: A6D01270910722CFD7209F75E8096467AD9BF15351F51DC3D9889DA590E6B0D4D0EB50
                                              Function 005690E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00568CF4,?,0057F910), ref: 005690EE
                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00569100
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetModuleHandleExW$kernel32.dll
                                              • API String ID: 2574300362-199464113
                                              • Opcode ID: f7ec9bf8cee86fae5f7c6db8726e577fff2f6cfd4c4119670fd17bb14f59ddb5
                                              • Instruction ID: 0718ccd3a9d979a43a0d5254b9676b0ae7a61857e4f13dddcd0fc7240b3b5182
                                              • Opcode Fuzzy Hash: f7ec9bf8cee86fae5f7c6db8726e577fff2f6cfd4c4119670fd17bb14f59ddb5
                                              • Instruction Fuzzy Hash: 19D01734520713CFDB20DF31E82C6067AE8BF16351F22C83A948AD6590EA70C8C0EBA0
                                              Function 00531714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: LocalTime__swprintf
                                              • String ID: %.3d$WIN_XPe
                                              • API String ID: 2070861257-2409531811
                                              • Opcode ID: fe3b6972044bc07012952081c85936a786489e27c5a8df0a7e5c949d072740c1
                                              • Instruction ID: 6c50f2e854e456f62f5abe4e8ce7e88a8f775c2b1ab407556f6fff4c5ce65ddd
                                              • Opcode Fuzzy Hash: fe3b6972044bc07012952081c85936a786489e27c5a8df0a7e5c949d072740c1
                                              • Instruction Fuzzy Hash: 77D0177180851DEADB009AA09C898F97F7CFB19301F180862B506E2040E6269B95EB29
                                              Function 0054717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 52b9213f5b3bbf9fb3ad771da6c9215659c48396b8a4da173e53af2718beab38
                                              • Instruction ID: 4a7b0cf2a93e824eeaa7abfcbce831f0cb3edcf98b438230ccbbbbfebbe4f530
                                              • Opcode Fuzzy Hash: 52b9213f5b3bbf9fb3ad771da6c9215659c48396b8a4da173e53af2718beab38
                                              • Instruction Fuzzy Hash: 7DC13175A0421AEFCB14CFA4C884EAEBBB5FF48718B154998E805DB251D770DD81DB90
                                              Function 0056E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?), ref: 0056E0BE
                                              • CharLowerBuffW.USER32(?,?), ref: 0056E101
                                                • Part of subcall function 0056D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0056D7C5
                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0056E301
                                              • _memmove.LIBCMT ref: 0056E314
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                              • String ID:
                                              • API String ID: 3659485706-0
                                              • Opcode ID: 171c1690ab5974734f7919aa40cbaeba61793040a952d806c3536d93018fd7da
                                              • Instruction ID: 4c12bb608cd61c22718b29a156e293f2a7f7f141b533f41a1764bd60b5fcbb7a
                                              • Opcode Fuzzy Hash: 171c1690ab5974734f7919aa40cbaeba61793040a952d806c3536d93018fd7da
                                              • Instruction Fuzzy Hash: 25C15475A083019FC704DF28C481A6ABBE4FF89318F14896EF9999B351D770E946CF82
                                              Function 00568093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 005680C3
                                              • CoUninitialize.COMBASE ref: 005680CE
                                                • Part of subcall function 0054D56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0054D5D4
                                              • VariantInit.OLEAUT32(?), ref: 005680D9
                                              • VariantClear.OLEAUT32(?), ref: 005683AA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                              • String ID:
                                              • API String ID: 780911581-0
                                              • Opcode ID: 0f44b1128be9081ea962162c27e6437e5ff2f49e02685b8f4ecf8e5f9a8e6868
                                              • Instruction ID: 50d1d1dae9ce219c3d6a24068eaf20a7065738fb58f9422924779cdab824f6a9
                                              • Opcode Fuzzy Hash: 0f44b1128be9081ea962162c27e6437e5ff2f49e02685b8f4ecf8e5f9a8e6868
                                              • Instruction Fuzzy Hash: 19A168752047059FCB10EF25C895B2ABBE4BF89354F04494DFA9A9B3A1CB34EC44CB86
                                              Function 00547530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                              Download Yara Rule
                                              APIs
                                              • ProgIDFromCLSID.COMBASE(?,00000000), ref: 005476EA
                                              • CoTaskMemFree.COMBASE(00000000), ref: 00547702
                                              • CLSIDFromProgID.COMBASE(?,?), ref: 00547727
                                              • _memcmp.LIBCMT ref: 00547748
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: FromProg$FreeTask_memcmp
                                              • String ID:
                                              • API String ID: 314563124-0
                                              • Opcode ID: 8629dd9a51793af24871c72c571c52f877abf86e27bdf910dfc0b9d496823d96
                                              • Instruction ID: 3ceb478528e2aa38c651c02efcdc25967e69ccb1dc9ebf2261fd7da50909495b
                                              • Opcode Fuzzy Hash: 8629dd9a51793af24871c72c571c52f877abf86e27bdf910dfc0b9d496823d96
                                              • Instruction Fuzzy Hash: 4F81EE75A00109EFCB04DFA4C984EEEBBB9FF89319F204559F505AB250DB71AE46CB60
                                              Function 0054687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Variant$AllocClearCopyInitString
                                              • String ID:
                                              • API String ID: 2808897238-0
                                              • Opcode ID: 7e8b56519b6a60aca1c99d508e4b12d5bd52df3ba7432e76cac42c3bbc44e095
                                              • Instruction ID: f6e927d75358c42335d9237c0583b78ae2a5137351f8f7bc9e624025ca7024de
                                              • Opcode Fuzzy Hash: 7e8b56519b6a60aca1c99d508e4b12d5bd52df3ba7432e76cac42c3bbc44e095
                                              • Instruction Fuzzy Hash: 1C51F674700702DEDB24EF66D495BBABBE5BF46318F20D81FE586DB291DA74D8808702
                                              Function 005797F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(017A09D0,?), ref: 00579863
                                              • ScreenToClient.USER32(00000002,00000002), ref: 00579896
                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00579903
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$ClientMoveRectScreen
                                              • String ID:
                                              • API String ID: 3880355969-0
                                              • Opcode ID: ff817c862c27dafb3ce8ce4dc876f0dbfcbf0775f5914ec50e909ec55287ea9a
                                              • Instruction ID: 1669a57fb0bb5891a2a5d8a52fb129925f7e7ff7155c4669e15ee6671f7f5772
                                              • Opcode Fuzzy Hash: ff817c862c27dafb3ce8ce4dc876f0dbfcbf0775f5914ec50e909ec55287ea9a
                                              • Instruction Fuzzy Hash: 96516F34A00209EFDF14DF14E884AAE7BB5FF55360F10825DF9599B2A0D730AD81EBA0
                                              Function 00549A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00549AD2
                                              • __itow.LIBCMT ref: 00549B03
                                                • Part of subcall function 00549D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00549DBE
                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00549B6C
                                              • __itow.LIBCMT ref: 00549BC3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend$__itow
                                              • String ID:
                                              • API String ID: 3379773720-0
                                              • Opcode ID: 6a0debe8a546f16774f6cc98e674318522bd48cf5d7ca90c018697eaa2998f60
                                              • Instruction ID: 6e68cfa8f0a67d76fe84a3046667b21ae1b0b83d64b0228dd0b97c459cda93e1
                                              • Opcode Fuzzy Hash: 6a0debe8a546f16774f6cc98e674318522bd48cf5d7ca90c018697eaa2998f60
                                              • Instruction Fuzzy Hash: 68417F70A0420DABDF11DF55D84ABFE7FB9EF45718F00005AFA05A6291DB749944CB61
                                              Function 0055B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0055B89E
                                              • GetLastError.KERNEL32(?,00000000), ref: 0055B8C4
                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0055B8E9
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0055B915
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                              • String ID:
                                              • API String ID: 3321077145-0
                                              • Opcode ID: 7a3c083698adc53eb92267031020fb01fc6cef3db471bb863389a83b46f63b04
                                              • Instruction ID: 4cc74fba9832f906b5014819bffdb9a25c0ca53c9fead640f73950431867deee
                                              • Opcode Fuzzy Hash: 7a3c083698adc53eb92267031020fb01fc6cef3db471bb863389a83b46f63b04
                                              • Instruction Fuzzy Hash: 47414839600614DFCB10EF15C494A69BBE1BF8A354F08808AED4AAB362CB34FD45DB95
                                              Function 00578851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                              Download Yara Rule
                                              APIs
                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005788DE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: InvalidateRect
                                              • String ID:
                                              • API String ID: 634782764-0
                                              • Opcode ID: 6ded067a797b29130abe34704494fe96aa4f64d26bc6790bc624ad0870822074
                                              • Instruction ID: 5bd419708f5b70c979b0676bcbb7cec6ed2934d70d87d9909f261de921541dca
                                              • Opcode Fuzzy Hash: 6ded067a797b29130abe34704494fe96aa4f64d26bc6790bc624ad0870822074
                                              • Instruction Fuzzy Hash: A0319234680109BEEB249A69EC4DBB87FA5FB05350F648912FB19E61A1CA70A940B753
                                              Function 0057AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ClientToScreen.USER32(?,?), ref: 0057AB60
                                              • GetWindowRect.USER32(?,?), ref: 0057ABD6
                                              • PtInRect.USER32(?,?,0057C014), ref: 0057ABE6
                                              • MessageBeep.USER32(00000000), ref: 0057AC57
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Rect$BeepClientMessageScreenWindow
                                              • String ID:
                                              • API String ID: 1352109105-0
                                              • Opcode ID: 25662f8f4459f15a62fadbb2db9c7d44ebf5ec1d036c6331a2843e77967e3c71
                                              • Instruction ID: a58f4e55d469b96222ec0c6e23ab18a9fe5b280c28daba1e1e5a0d331536f532
                                              • Opcode Fuzzy Hash: 25662f8f4459f15a62fadbb2db9c7d44ebf5ec1d036c6331a2843e77967e3c71
                                              • Instruction Fuzzy Hash: BD414C30600119AFCB16DF58E884B6D7BF9FB99310F24C5A9F51D9B260E730AC45EB92
                                              Function 00550AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00550B27
                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00550B43
                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00550BA9
                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00550BFB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: KeyboardState$InputMessagePostSend
                                              • String ID:
                                              • API String ID: 432972143-0
                                              • Opcode ID: cc45d6a133897b9b85eb8cb8f5151e4bf3e981c60fe09eee04b0d996064f9e32
                                              • Instruction ID: 0a5e2252e6a69578fbd0a685bbab7ef8ae9089f34853d99f01f3f7c97f737e71
                                              • Opcode Fuzzy Hash: cc45d6a133897b9b85eb8cb8f5151e4bf3e981c60fe09eee04b0d996064f9e32
                                              • Instruction Fuzzy Hash: FF313770940218AFFF308A298C69BFEBFA5BB4533AF08565BEC84521D1C3758D8CA751
                                              Function 00550C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00550C66
                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00550C82
                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00550CE1
                                              • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00550D33
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: KeyboardState$InputMessagePostSend
                                              • String ID:
                                              • API String ID: 432972143-0
                                              • Opcode ID: 086be018efbb76083e713dc337c49cfc9ac657f8c6227f46c4e080ab05670259
                                              • Instruction ID: 81ff13d00af6fc417c82307a93f9f561bff90cc4c6841efd35889e41da30dff4
                                              • Opcode Fuzzy Hash: 086be018efbb76083e713dc337c49cfc9ac657f8c6227f46c4e080ab05670259
                                              • Instruction Fuzzy Hash: 14315530940208AEFF30CA688829BFEFFB6BB86312F04572BE884561D1C3349D8D9751
                                              Function 005261C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005261FB
                                              • __isleadbyte_l.LIBCMT ref: 00526229
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00526257
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0052628D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                              • String ID:
                                              • API String ID: 3058430110-0
                                              • Opcode ID: cec0bab83068440df16c6579b2ca6c11d9218237fbcfb49bf1b58036e1cbfa98
                                              • Instruction ID: ee93f58296d1c4cfe0374edca9babbd011d7eaf1f3e1db77e6d503f697d8565a
                                              • Opcode Fuzzy Hash: cec0bab83068440df16c6579b2ca6c11d9218237fbcfb49bf1b58036e1cbfa98
                                              • Instruction Fuzzy Hash: F731D234604266EFDF218F64EC48BBA7FA9FF42310F154428E824971D1D730E990D790
                                              Function 00574EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32 ref: 00574F02
                                                • Part of subcall function 00553641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0055365B
                                                • Part of subcall function 00553641: GetCurrentThreadId.KERNEL32 ref: 00553662
                                                • Part of subcall function 00553641: AttachThreadInput.USER32(00000000,?,00555005), ref: 00553669
                                              • GetCaretPos.USER32(?), ref: 00574F13
                                              • ClientToScreen.USER32(00000000,?), ref: 00574F4E
                                              • GetForegroundWindow.USER32 ref: 00574F54
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                              • String ID:
                                              • API String ID: 2759813231-0
                                              • Opcode ID: 7c92e4e1c8c1bdafafa7a80aa1641dd871ff6332cd2af4e9f02c7eeda4430281
                                              • Instruction ID: 1c0fd039219cc07c907be4c8ff30e80a18c732750e550bf0ca1c76e9fd2a1561
                                              • Opcode Fuzzy Hash: 7c92e4e1c8c1bdafafa7a80aa1641dd871ff6332cd2af4e9f02c7eeda4430281
                                              • Instruction Fuzzy Hash: 3A312B71D00108AFCB00EFA6C885AEFBBF9EF99304F10446AE915E7241DA759E458FA4
                                              Function 00548656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0054810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00548121
                                                • Part of subcall function 0054810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0054812B
                                                • Part of subcall function 0054810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0054813A
                                                • Part of subcall function 0054810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00548141
                                                • Part of subcall function 0054810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00548157
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005486A3
                                              • _memcmp.LIBCMT ref: 005486C6
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005486FC
                                              • HeapFree.KERNEL32(00000000), ref: 00548703
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                              • String ID:
                                              • API String ID: 2182266621-0
                                              • Opcode ID: 77be61d8007e90b6f1e81a520f9ec934e352fd1afd5ec1611378621edba8c87d
                                              • Instruction ID: cdb9a24594abb0c0fc1e3c9b813b70cd874b0d0f42e8c62602ecd142aa5fd37b
                                              • Opcode Fuzzy Hash: 77be61d8007e90b6f1e81a520f9ec934e352fd1afd5ec1611378621edba8c87d
                                              • Instruction Fuzzy Hash: 84216631A00109EBDB00DFA4C948BEEBBB9FF60308F164059E904AB241DB30AA45DBA4
                                              Function 0051098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                              Download Yara Rule
                                              APIs
                                              • __setmode.LIBCMT ref: 005109AE
                                                • Part of subcall function 004F5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00557896,?,?,00000000), ref: 004F5A2C
                                                • Part of subcall function 004F5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00557896,?,?,00000000,?,?), ref: 004F5A50
                                              • _fprintf.LIBCMT ref: 005109E5
                                              • OutputDebugStringW.KERNEL32(?), ref: 00545DBB
                                                • Part of subcall function 00514AAA: _flsall.LIBCMT ref: 00514AC3
                                              • __setmode.LIBCMT ref: 00510A1A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                              • String ID:
                                              • API String ID: 521402451-0
                                              • Opcode ID: 5aa15cd3c388b2faf26235939b0fba0f851d47ae8d3b7a6a6b34246f3f2e1895
                                              • Instruction ID: 22f64a21ffbe107a5fd3578ed0009930ce4af6a133c489d3ea987945d8c8d693
                                              • Opcode Fuzzy Hash: 5aa15cd3c388b2faf26235939b0fba0f851d47ae8d3b7a6a6b34246f3f2e1895
                                              • Instruction Fuzzy Hash: 291154319042097FEB04B2B4AC4A9FE7FA8BF85324F20001AF204671C2EE645CC69BA4
                                              Function 00561767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005617A3
                                                • Part of subcall function 0056182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0056184C
                                                • Part of subcall function 0056182D: InternetCloseHandle.WININET(00000000), ref: 005618E9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Internet$CloseConnectHandleOpen
                                              • String ID:
                                              • API String ID: 1463438336-0
                                              • Opcode ID: e1c06f8211fd34a0a473e4d8034e4eccb26b00bbed16925fda7e48439bd0f6c6
                                              • Instruction ID: a6dac561a530bd017b1b36d1f9c0c881da65f923262a595df189cab9de0a77ff
                                              • Opcode Fuzzy Hash: e1c06f8211fd34a0a473e4d8034e4eccb26b00bbed16925fda7e48439bd0f6c6
                                              • Instruction Fuzzy Hash: A621F631200A01BFEB169F60DC01FBABFE9FF88711F14442AF90597550DB71D810A7A4
                                              Function 00553A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNEL32(?,0057FAC0), ref: 00553A64
                                              • GetLastError.KERNEL32 ref: 00553A73
                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00553A82
                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0057FAC0), ref: 00553ADF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CreateDirectory$AttributesErrorFileLast
                                              • String ID:
                                              • API String ID: 2267087916-0
                                              • Opcode ID: 0f24798ab43a643b5ea25947d96ccb69265272f9ea2596b72eb669dcc79606bd
                                              • Instruction ID: c6b6d931e32403033cc57a9a09487d7838f6d8bf919ddaf122f1fe6a0784546d
                                              • Opcode Fuzzy Hash: 0f24798ab43a643b5ea25947d96ccb69265272f9ea2596b72eb669dcc79606bd
                                              • Instruction Fuzzy Hash: 952191745082059F8300EF28D89186ABBE4FF553A9F144A2EF89DC72A2D7319A4DDB52
                                              Function 005250E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00525101
                                                • Part of subcall function 0051571C: __FF_MSGBANNER.LIBCMT ref: 00515733
                                                • Part of subcall function 0051571C: __NMSG_WRITE.LIBCMT ref: 0051573A
                                                • Part of subcall function 0051571C: RtlAllocateHeap.NTDLL(01780000,00000000,00000001), ref: 0051575F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: AllocateHeap_free
                                              • String ID:
                                              • API String ID: 614378929-0
                                              • Opcode ID: 89f8650634ec3bc22e3e542ee77f650af3b44d62a2f90e8ef1aeef9550a20e95
                                              • Instruction ID: e82412abf50492d266f238a6e92ad2ee50ca41388c64ccbebc57425143fad3d7
                                              • Opcode Fuzzy Hash: 89f8650634ec3bc22e3e542ee77f650af3b44d62a2f90e8ef1aeef9550a20e95
                                              • Instruction Fuzzy Hash: 4511A771504A22AEEF312F74BC497AD3F98BF563A1F104929F9899A1D0EE308990D790
                                              Function 004F44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 004F44CF
                                                • Part of subcall function 004F407C: _memset.LIBCMT ref: 004F40FC
                                                • Part of subcall function 004F407C: _wcscpy.LIBCMT ref: 004F4150
                                                • Part of subcall function 004F407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004F4160
                                              • KillTimer.USER32(?,00000001,?,?), ref: 004F4524
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004F4533
                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0052D4B9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                              • String ID:
                                              • API String ID: 1378193009-0
                                              • Opcode ID: a29a87fd53f269f18a299a9b671b2f4b60e0ad80454c79f9b21dcd69ac67e27f
                                              • Instruction ID: dda3ff09f8dcfe86744e1edfa871ea3d323cffb11e9d2f3b213a1fa2929d73e0
                                              • Opcode Fuzzy Hash: a29a87fd53f269f18a299a9b671b2f4b60e0ad80454c79f9b21dcd69ac67e27f
                                              • Instruction Fuzzy Hash: 4C212870404398AFEB32DB249855BF7BFECAF52304F04008EE38E56281C7B82A88D751
                                              Function 005485B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005485E2
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 005485E9
                                              • CloseHandle.KERNEL32(00000004), ref: 00548603
                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00548632
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                              • String ID:
                                              • API String ID: 2621361867-0
                                              • Opcode ID: c57cd8988c9e22417d366bb0d9d2020db666d67be2a1fd3bb3b754d1328c0274
                                              • Instruction ID: 253782a82386f6377f4562928b440ed69531d931e34a23d2821c12decb0ea5d8
                                              • Opcode Fuzzy Hash: c57cd8988c9e22417d366bb0d9d2020db666d67be2a1fd3bb3b754d1328c0274
                                              • Instruction Fuzzy Hash: 2A112972501249ABDF01CFA4ED49BEE7BA9FF48348F044065FE09A2161C7729DA5EB60
                                              Function 00566369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00557896,?,?,00000000), ref: 004F5A2C
                                                • Part of subcall function 004F5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00557896,?,?,00000000,?,?), ref: 004F5A50
                                              • gethostbyname.WS2_32(?), ref: 00566399
                                              • WSAGetLastError.WS2_32(00000000), ref: 005663A4
                                              • _memmove.LIBCMT ref: 005663D1
                                              • inet_ntoa.WS2_32(?), ref: 005663DC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                              • String ID:
                                              • API String ID: 1504782959-0
                                              • Opcode ID: d901aa1461c71d09d9aaa0712f871e87dc6c989806d2c4dff1dba9eedaf92764
                                              • Instruction ID: e8ef5f6929e9c085af8fefb252c2f01041f6e3bc0c226ae49879809224e78e60
                                              • Opcode Fuzzy Hash: d901aa1461c71d09d9aaa0712f871e87dc6c989806d2c4dff1dba9eedaf92764
                                              • Instruction Fuzzy Hash: A511607190010DAFCB04FBA5DD86DFEBBB8BF58314B14406AF605A7261DB34AE14DB61
                                              Function 00548B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00548B61
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00548B73
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00548B89
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00548BA4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: f971d15baef5aa7fa507068422a811ef7656f95dfddca7485caffd4dc73d2637
                                              • Instruction ID: 4bea7d1ff791e9bcd3dfa77e8d40b3445272c1125392589a2cf5c824c40bda9b
                                              • Opcode Fuzzy Hash: f971d15baef5aa7fa507068422a811ef7656f95dfddca7485caffd4dc73d2637
                                              • Instruction Fuzzy Hash: 4C110679901218BFEB11DBA5C885EADBBB8FB48710F2040A5EA04B7290DA716E51DB94
                                              Function 0054D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0054D84D
                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0054D864
                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0054D879
                                              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0054D897
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Type$Register$FileLoadModuleNameUser
                                              • String ID:
                                              • API String ID: 1352324309-0
                                              • Opcode ID: 01f9e051c388586149996484467da2d86f2cda8e20d77c520cfb2efb3508ad39
                                              • Instruction ID: 5acd897271ad8b8393945b71704ea1fdc1fb849bfaef17e77abdcc03abd70424
                                              • Opcode Fuzzy Hash: 01f9e051c388586149996484467da2d86f2cda8e20d77c520cfb2efb3508ad39
                                              • Instruction Fuzzy Hash: 0F115E75605304DBEB20CF50EC08FA2BBBCFB00B04F108969A51AD6550D7B0E549ABB1
                                              Function 00526FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                              • String ID:
                                              • API String ID: 3016257755-0
                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                              • Instruction ID: 69c37984709268074d288244bcbb95813a42be527020b162a3c3c5b9aaf77e79
                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                              • Instruction Fuzzy Hash: 11014B7244815EBBCF169E84EC0ACEE3F62BF1E350B588415FA18580B1D236D9B5AF81
                                              Function 0057B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 0057B2E4
                                              • ScreenToClient.USER32(?,?), ref: 0057B2FC
                                              • ScreenToClient.USER32(?,?), ref: 0057B320
                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0057B33B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ClientRectScreen$InvalidateWindow
                                              • String ID:
                                              • API String ID: 357397906-0
                                              • Opcode ID: 254cd43b1b38c910dfa468a180e677a5aed5fb065ae99d4b140115edd02b9ab3
                                              • Instruction ID: b5c3aa73caf20cf6917eb33fe46ec55ac9b7988943ca366f91261b946964075c
                                              • Opcode Fuzzy Hash: 254cd43b1b38c910dfa468a180e677a5aed5fb065ae99d4b140115edd02b9ab3
                                              • Instruction Fuzzy Hash: 1D114775D00209EFDB41DF99D844AEEBBF5FF18310F108166E914E3220D735AA559F51
                                              Function 00556BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00556BE6
                                                • Part of subcall function 005576C4: _memset.LIBCMT ref: 005576F9
                                              • _memmove.LIBCMT ref: 00556C09
                                              • _memset.LIBCMT ref: 00556C16
                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 00556C26
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                              • String ID:
                                              • API String ID: 48991266-0
                                              • Opcode ID: 6b49129fea21aeb88cffa70509f50220247903c67b099911c32bb38393c1b9d7
                                              • Instruction ID: 372276e603e5432ca2db06914d605deb3c4a548b40342d4a77ddfa891a5e7fd0
                                              • Opcode Fuzzy Hash: 6b49129fea21aeb88cffa70509f50220247903c67b099911c32bb38393c1b9d7
                                              • Instruction Fuzzy Hash: 1EF0543A100100ABCF016F55EC89A8ABF29FF89321F048061FE089E267C731E855DBB4
                                              Function 004F2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000008), ref: 004F2231
                                              • SetTextColor.GDI32(?,000000FF), ref: 004F223B
                                              • SetBkMode.GDI32(?,00000001), ref: 004F2250
                                              • GetStockObject.GDI32(00000005), ref: 004F2258
                                              • GetWindowDC.USER32(?,00000000), ref: 0052BE83
                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0052BE90
                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0052BEA9
                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0052BEC2
                                              • GetPixel.GDI32(00000000,?,?), ref: 0052BEE2
                                              • ReleaseDC.USER32(?,00000000), ref: 0052BEED
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                              • String ID:
                                              • API String ID: 1946975507-0
                                              • Opcode ID: f4b308ebe00135ce8542afa56d9243e61375df24da9bfc5c24d298d22a2a4fcf
                                              • Instruction ID: a317e1cb878214248b88e0390c7047d5dba43d365f14795ba08bb594c494c9b5
                                              • Opcode Fuzzy Hash: f4b308ebe00135ce8542afa56d9243e61375df24da9bfc5c24d298d22a2a4fcf
                                              • Instruction Fuzzy Hash: 3EE03932504244ABEB219F64FC0DBD83F20EB26332F008366FA6D980E187B149C4EB12
                                              Function 00548712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 0054871B
                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,005482E6), ref: 00548722
                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005482E6), ref: 0054872F
                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,005482E6), ref: 00548736
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CurrentOpenProcessThreadToken
                                              • String ID:
                                              • API String ID: 3974789173-0
                                              • Opcode ID: a99e6c8fd408e44a592611ae6ddbd850d53f896eda759c9a8d2e74c820df5fed
                                              • Instruction ID: 66e6e6f6de1851a49580b56b98f0103d9535aa3e002828b0322e4f0318ad2c2b
                                              • Opcode Fuzzy Hash: a99e6c8fd408e44a592611ae6ddbd850d53f896eda759c9a8d2e74c820df5fed
                                              • Instruction Fuzzy Hash: 29E086366152119BDB20DFB17D0CB9A3BACFF60B96F144828B24ACA040DA348489F750
                                              Function 004F6240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: %X
                                              • API String ID: 0-1769119165
                                              • Opcode ID: 377698d29643a45ab0d86543f9735e84933b893a256eaeb7b458bf5ce9b4dd31
                                              • Instruction ID: 5665792dd6907fe26461b782b748f171d1e58c61111600903e0e1f58c8a00bdc
                                              • Opcode Fuzzy Hash: 377698d29643a45ab0d86543f9735e84933b893a256eaeb7b458bf5ce9b4dd31
                                              • Instruction Fuzzy Hash: 3EB17E7190410E9ACF14EF94C4859FEBBB9FF44314F51402BEB16A7291DB389E82CB99
                                              Function 0056AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: __itow_s
                                              • String ID: xb[$xb[
                                              • API String ID: 3653519197-2530513249
                                              • Opcode ID: f517d0be275e939e2a35a265170a8d5e2423d2b1f7746926b0677c18ec7b9ec3
                                              • Instruction ID: 4ad735d08e813a3ffb217f145e1da41c187d050f627afe4ff9e43e68ba90c4b8
                                              • Opcode Fuzzy Hash: f517d0be275e939e2a35a265170a8d5e2423d2b1f7746926b0677c18ec7b9ec3
                                              • Instruction Fuzzy Hash: 98B19D74A00109EBDB14DF65C891EBABBF9FF59300F14845AFA45DB291EB34E981CB60
                                              Function 0055AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0050FC86: _wcscpy.LIBCMT ref: 0050FCA9
                                                • Part of subcall function 004F9837: __itow.LIBCMT ref: 004F9862
                                                • Part of subcall function 004F9837: __swprintf.LIBCMT ref: 004F98AC
                                              • __wcsnicmp.LIBCMT ref: 0055B02D
                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0055B0F6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                              • String ID: LPT
                                              • API String ID: 3222508074-1350329615
                                              • Opcode ID: ab3b1ec8bc18dfe3889f74ec2847a581a7b29afc491a91319c40e1036ba3ac0d
                                              • Instruction ID: ac0d00c60a3cfafa84d47a72c97fb96a9f11f36da0ce66d88a33ad0a1cc53b94
                                              • Opcode Fuzzy Hash: ab3b1ec8bc18dfe3889f74ec2847a581a7b29afc491a91319c40e1036ba3ac0d
                                              • Instruction Fuzzy Hash: 2A619575A00219AFDB14DF94C869EBEBBB4FF08310F10405AF916AB2A1D770AE44CB55
                                              Function 00502957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNEL32(00000000), ref: 00502968
                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00502981
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: GlobalMemorySleepStatus
                                              • String ID: @
                                              • API String ID: 2783356886-2766056989
                                              • Opcode ID: 781b0f25a9173c0238e426377c63da8ac9cbaf37f87951a7e9931beb1289e906
                                              • Instruction ID: 9ee376447d8471ba7663fe328d962bb225cbf9afe7ec6e01e35afdd26f854c60
                                              • Opcode Fuzzy Hash: 781b0f25a9173c0238e426377c63da8ac9cbaf37f87951a7e9931beb1289e906
                                              • Instruction Fuzzy Hash: 175159714187489BD720EF11D885BAFBBE8FB85344F42485EF2D8810A1DB34896DCB5A
                                              Function 00559734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F4F0B: __fread_nolock.LIBCMT ref: 004F4F29
                                              • _wcscmp.LIBCMT ref: 00559824
                                              • _wcscmp.LIBCMT ref: 00559837
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: _wcscmp$__fread_nolock
                                              • String ID: FILE
                                              • API String ID: 4029003684-3121273764
                                              • Opcode ID: c9db8f24aba031d6ffb0320c1c992fa0a2ebf701dccd044c7f5d7a6152e433d8
                                              • Instruction ID: ef1ac6a78e0428f790ba4e8204e52681a1634502b101a985760d40a9ca2e4d04
                                              • Opcode Fuzzy Hash: c9db8f24aba031d6ffb0320c1c992fa0a2ebf701dccd044c7f5d7a6152e433d8
                                              • Instruction Fuzzy Hash: 9141DB71A0021ABADF209AA5CC55FEF7BBDEF85714F00046AFA05A7180DA759904CB65
                                              Function 00530574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ClearVariant
                                              • String ID: Dd[$Dd[
                                              • API String ID: 1473721057-1415906856
                                              • Opcode ID: d23c76e301dacc4ecf764f9da110cfad230629c3363bd83cd257ce26b86532d5
                                              • Instruction ID: 813a7ae6af9be23402cfcddeb3d1cc1a0ff16600f3268f6a9c710bedc560db78
                                              • Opcode Fuzzy Hash: d23c76e301dacc4ecf764f9da110cfad230629c3363bd83cd257ce26b86532d5
                                              • Instruction Fuzzy Hash: FB5102B86043058FDB50CF18C580A2ABBF1FB99344F54885EEA898B361D339EC95CB46
                                              Function 0056258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0056259E
                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005625D4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CrackInternet_memset
                                              • String ID: |
                                              • API String ID: 1413715105-2343686810
                                              • Opcode ID: d37901fc18804475c1086cf58a588211eadaf278fa4182f865795f6fdedb9d9a
                                              • Instruction ID: fcab69262d7706e0a28684aa91a5253aa331f40e93441f942889d1b0f54f65b5
                                              • Opcode Fuzzy Hash: d37901fc18804475c1086cf58a588211eadaf278fa4182f865795f6fdedb9d9a
                                              • Instruction Fuzzy Hash: F3310A71814119EBCF11EFA1DC85EEEBFB8FF08314F10006AF915AA162EB395956DB60
                                              Function 00577A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00577B61
                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00577B76
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: '
                                              • API String ID: 3850602802-1997036262
                                              • Opcode ID: 4377f752bc1ac11f1db1f2c376f91bc5e03d5c94c7c7294f92b92f099909f2fc
                                              • Instruction ID: 6cf5fc39ed605d45fb9a1793c433de351be17eeb2e7851824870770c156a1d57
                                              • Opcode Fuzzy Hash: 4377f752bc1ac11f1db1f2c376f91bc5e03d5c94c7c7294f92b92f099909f2fc
                                              • Instruction Fuzzy Hash: D1410A74A0530D9FDB14CF64E981BDABBB5FB08300F10456AE908AB351E770A951DF90
                                              Function 00576A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(?,?,?,?), ref: 00576B17
                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00576B53
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$DestroyMove
                                              • String ID: static
                                              • API String ID: 2139405536-2160076837
                                              • Opcode ID: 9647d6020e3890f241f505b23b5bad6ee2cd9bb8f91e48945a9ee5d3d64f07a9
                                              • Instruction ID: ef9b376aad980fb105aab23a66572661565881bbd4187145cbeea8503dadd733
                                              • Opcode Fuzzy Hash: 9647d6020e3890f241f505b23b5bad6ee2cd9bb8f91e48945a9ee5d3d64f07a9
                                              • Instruction Fuzzy Hash: 0C319071210604AEDB14DF65DC40BFB77A9FF48764F10C619F9A9D7190DA34AC81EB60
                                              Function 005528A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00552911
                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0055294C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: InfoItemMenu_memset
                                              • String ID: 0
                                              • API String ID: 2223754486-4108050209
                                              • Opcode ID: e96c006e5e0591253d750432ec07ab77e57069e48f44dc23ba56c7e16d1c0458
                                              • Instruction ID: fef403d260db4fa2ea7acbd00a520bb08de5dd978ec4d9506e84fab0c5f43399
                                              • Opcode Fuzzy Hash: e96c006e5e0591253d750432ec07ab77e57069e48f44dc23ba56c7e16d1c0458
                                              • Instruction Fuzzy Hash: 7931D5716003099BEB29CF98D895BEEBFF8FF46351F14001AED85A62A0D77099C8DB51
                                              Function 005766D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00576761
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0057676C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: Combobox
                                              • API String ID: 3850602802-2096851135
                                              • Opcode ID: 29ae47d2f4d76277ea007b50861b32d461969aac51db53bec070525940759fc2
                                              • Instruction ID: 47dc2a3269911fc7f14ef752bae633733ef36709ef6b12b0123788302f764e47
                                              • Opcode Fuzzy Hash: 29ae47d2f4d76277ea007b50861b32d461969aac51db53bec070525940759fc2
                                              • Instruction Fuzzy Hash: 9111B9713005096FEF15CF54EC81EBB3B6AFB84398F104125F51897290D635DC51A760
                                              Function 00576C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004F1D73
                                                • Part of subcall function 004F1D35: GetStockObject.GDI32(00000011), ref: 004F1D87
                                                • Part of subcall function 004F1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 004F1D91
                                              • GetWindowRect.USER32(00000000,?), ref: 00576C71
                                              • GetSysColor.USER32(00000012), ref: 00576C8B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                              • String ID: static
                                              • API String ID: 1983116058-2160076837
                                              • Opcode ID: 8fceb6594aacff6880917a0cffa48eb4f3697bf5a28498f4b5afcb16558309e1
                                              • Instruction ID: 5777391d875d2a204f6212bd0971992d6a2f77f443e69e3df74518056391a7bf
                                              • Opcode Fuzzy Hash: 8fceb6594aacff6880917a0cffa48eb4f3697bf5a28498f4b5afcb16558309e1
                                              • Instruction Fuzzy Hash: 14212C7651020AAFDF05DFA8DC45EFA7BB8FB08314F004629F959D2250D635E850EB60
                                              Function 00576920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowTextLengthW.USER32(00000000), ref: 005769A2
                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005769B1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: LengthMessageSendTextWindow
                                              • String ID: edit
                                              • API String ID: 2978978980-2167791130
                                              • Opcode ID: ce6874d2779f906432ad8f04238d2060bd3eab1fd0b60e37bcb503fbec51e488
                                              • Instruction ID: a1075098b594fae2d4e2d7cbe5241da8a4202ca76b20f3c4021e59f0dc01ace1
                                              • Opcode Fuzzy Hash: ce6874d2779f906432ad8f04238d2060bd3eab1fd0b60e37bcb503fbec51e488
                                              • Instruction Fuzzy Hash: D1118F71100508AFEB108E74EC55AEB3B69FB153B4F508724FAA9971E0C735DC94B760
                                              Function 005529AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00552A22
                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00552A41
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: InfoItemMenu_memset
                                              • String ID: 0
                                              • API String ID: 2223754486-4108050209
                                              • Opcode ID: ff236bd8d5f9a01ba6c502a00dd66b086cb0555c8c0cb2684caeab86b194a24d
                                              • Instruction ID: af4c8f7c2f91a5f123dd4a7a4e35b029ef6de1f54a5cbb0c0241005a5fdc4b0f
                                              • Opcode Fuzzy Hash: ff236bd8d5f9a01ba6c502a00dd66b086cb0555c8c0cb2684caeab86b194a24d
                                              • Instruction Fuzzy Hash: E811D032A01114ABDF39DB98EC54BAA7BB8BB46301F144126EC55E7290E7B0AD0ED791
                                              Function 005621D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0056222C
                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00562255
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Internet$OpenOption
                                              • String ID: <local>
                                              • API String ID: 942729171-4266983199
                                              • Opcode ID: e21df5b34cd8a68041486cdd880941fd9e5d3b2d163eb297de578b7d024dc70d
                                              • Instruction ID: 0afddcccf3fac6a3526cbcdf28095024198d70620b922b0b4176491573c8e8ae
                                              • Opcode Fuzzy Hash: e21df5b34cd8a68041486cdd880941fd9e5d3b2d163eb297de578b7d024dc70d
                                              • Instruction Fuzzy Hash: 9E110274505A25BADB288F11DCA8EBBFFA8FF16351F10862AFA1557100D2706994DAF0
                                              Function 0050092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,004F3C14,005B52F8,?,?,?), ref: 0050096E
                                                • Part of subcall function 004F7BCC: _memmove.LIBCMT ref: 004F7C06
                                              • _wcscat.LIBCMT ref: 00534CB7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: FullNamePath_memmove_wcscat
                                              • String ID: S[
                                              • API String ID: 257928180-2300449399
                                              • Opcode ID: 2eb0b5f49816213da0c41b52ccf7ea8959fcd52a3bc129c572fa2698d36ee054
                                              • Instruction ID: e1fc2282e3f10bbf4bdfebdf7400f287804edd77fcc13da3fc6e9e8c2e1c36bf
                                              • Opcode Fuzzy Hash: 2eb0b5f49816213da0c41b52ccf7ea8959fcd52a3bc129c572fa2698d36ee054
                                              • Instruction Fuzzy Hash: 4711A5309052099ACB44FF64D80AFDD7FE8BF08354F0048A6B648D72C1EA74A7845B15
                                              Function 00548E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                                • Part of subcall function 0054AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0054AABC
                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00548E73
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 372448540-1403004172
                                              • Opcode ID: 67de63d554a296f58aac0a2f899c0139ef06b43b093ff1bfc673af85a72398a1
                                              • Instruction ID: 8c6579a913f8ad418bfecd2fba0dedfc44ef776c601fae9fcb5e56015594cbad
                                              • Opcode Fuzzy Hash: 67de63d554a296f58aac0a2f899c0139ef06b43b093ff1bfc673af85a72398a1
                                              • Instruction Fuzzy Hash: 710124B164121DABCB14EBA1CC45CFE7B6CFF06324B400A1AF931672E2DE395818D650
                                              Function 00548CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                                • Part of subcall function 0054AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0054AABC
                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00548D6B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 372448540-1403004172
                                              • Opcode ID: 845c2f90bf441695916f2ff1df1d3ddc2b22244a5b6ebf890edce02344c90061
                                              • Instruction ID: 23e9b488e247e71ed7a73f8931a0705517edfe1fe0770cb710e6ac9a398157cb
                                              • Opcode Fuzzy Hash: 845c2f90bf441695916f2ff1df1d3ddc2b22244a5b6ebf890edce02344c90061
                                              • Instruction Fuzzy Hash: F001F7B1B4150DABCB14EBA1CD56EFE7BACEF15304F10041AB905632D1DE185E08D2B1
                                              Function 00548D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004F7DE1: _memmove.LIBCMT ref: 004F7E22
                                                • Part of subcall function 0054AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0054AABC
                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00548DEE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 372448540-1403004172
                                              • Opcode ID: bb378e65f8dece7ca899619123c765667b8dc3f58d83b78b9a8d2b66d15780db
                                              • Instruction ID: 9fe9e2a91195e300770fb750ec696eaa2d280b28c55d193978252c5c1623a248
                                              • Opcode Fuzzy Hash: bb378e65f8dece7ca899619123c765667b8dc3f58d83b78b9a8d2b66d15780db
                                              • Instruction Fuzzy Hash: 350126B1B4210DBBCB14EBA5CD46EFE7BACEF15304F10041AB906632D2DE294E08E275
                                              Function 0054C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 0054C534
                                                • Part of subcall function 0054C816: _memmove.LIBCMT ref: 0054C860
                                                • Part of subcall function 0054C816: VariantInit.OLEAUT32(00000000), ref: 0054C882
                                                • Part of subcall function 0054C816: VariantCopy.OLEAUT32(00000000,?), ref: 0054C88C
                                              • VariantClear.OLEAUT32(?), ref: 0054C556
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Variant$Init$ClearCopy_memmove
                                              • String ID: d}Z
                                              • API String ID: 2932060187-2712667583
                                              • Opcode ID: f333e222702dc67844cf5b0529b6f1e6c52b5f264b391963c11e1899a8a53d62
                                              • Instruction ID: ee350f36143ce63b5aa66b295ab0d5d3b883cc5e22fbb1394b990b896c3f9a12
                                              • Opcode Fuzzy Hash: f333e222702dc67844cf5b0529b6f1e6c52b5f264b391963c11e1899a8a53d62
                                              • Instruction Fuzzy Hash: A41100719007089FC720DF9AD88499AFBF8FF18314B50856FE58AD7611E771AA48CF54
                                              Function 00554F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: ClassName_wcscmp
                                              • String ID: #32770
                                              • API String ID: 2292705959-463685578
                                              • Opcode ID: 53f3e1b606a4fa07dcb86261a6ccb623bcf5e9849480c553f4b54f7c6011bc77
                                              • Instruction ID: 1fc640318895804a581dc38e1ee13d05127bebad927644b3dcae4af13430361b
                                              • Opcode Fuzzy Hash: 53f3e1b606a4fa07dcb86261a6ccb623bcf5e9849480c553f4b54f7c6011bc77
                                              • Instruction Fuzzy Hash: 7DE09B3250022926D720D659AC49AA7FBACFB55B61F010157FD04D2151E560AA5587E0
                                              Function 0052B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0052B314: _memset.LIBCMT ref: 0052B321
                                                • Part of subcall function 00510940: InitializeCriticalSectionAndSpinCount.KERNEL32(005B4158,00000000,005B4144,0052B2F0,?,?,?,004F100A), ref: 00510945
                                              • IsDebuggerPresent.KERNEL32(?,?,?,004F100A), ref: 0052B2F4
                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004F100A), ref: 0052B303
                                              Strings
                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0052B2FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                              • API String ID: 3158253471-631824599
                                              • Opcode ID: 4d097bc002eae83fcba55564e08932872f2f27e937f3d8518b79a26c95a023ca
                                              • Instruction ID: 1dd2d7fc5f3ff530c16fae8de68dd14665b534ab6d56474848697258448ef894
                                              • Opcode Fuzzy Hash: 4d097bc002eae83fcba55564e08932872f2f27e937f3d8518b79a26c95a023ca
                                              • Instruction Fuzzy Hash: 93E039742007118BEB60DF28E9083527FE8BF61314F008E2DE446C7281EBB4A888DBA1
                                              Function 00531935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDirectoryW.KERNEL32(?), ref: 00531775
                                                • Part of subcall function 0056BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0053195E,?), ref: 0056BFFE
                                                • Part of subcall function 0056BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0056C010
                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0053196D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                              • String ID: WIN_XPe
                                              • API String ID: 582185067-3257408948
                                              • Opcode ID: 453a018df8384b119d89bb69f3bb12b463415ed86bb0c2abf9676591934ffe7a
                                              • Instruction ID: 2e16486c267a1735fc93dbdc4aaebc939846d08a1e8b6a9f7b612e8cd7fedc03
                                              • Opcode Fuzzy Hash: 453a018df8384b119d89bb69f3bb12b463415ed86bb0c2abf9676591934ffe7a
                                              • Instruction Fuzzy Hash: 6CF03970800009DFDB15DBA0C988AFCBBF8FB18300F580495E102E21A0C7759F89EF64
                                              Function 00575964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0057596E
                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00575981
                                                • Part of subcall function 00555244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005552BC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: FindMessagePostSleepWindow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 529655941-2988720461
                                              • Opcode ID: df94db52edf8822397ea043ff3b88c70a63e6f2afc24d58059a83442d292f3e9
                                              • Instruction ID: 8e2f1d9a8de560e0ae019d5f57dbe82b3fa0a7201d5972866d4fe5c1fc4a887f
                                              • Opcode Fuzzy Hash: df94db52edf8822397ea043ff3b88c70a63e6f2afc24d58059a83442d292f3e9
                                              • Instruction Fuzzy Hash: A6D0C935784311B7E664FB70AC1FFA66A54BB54B51F000829B649AE1D0E9E0A844D754
                                              Function 00575998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005759AE
                                              • PostMessageW.USER32(00000000), ref: 005759B5
                                                • Part of subcall function 00555244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005552BC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1445492502.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                              • Associated: 00000000.00000002.1445471943.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445492502.000000000063B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445663265.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1445680585.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4f0000_C2R7VV2QmG.jbxd
                                              Similarity
                                              • API ID: FindMessagePostSleepWindow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 529655941-2988720461
                                              • Opcode ID: 0d1051f045155ae6f21ae19f107232e865591f7e49b195e0c090730dc0a25c7b
                                              • Instruction ID: c48630aeefdf78804ce122b7226c00d72d65a8cfc534ad9661bb899bb7ee33f9
                                              • Opcode Fuzzy Hash: 0d1051f045155ae6f21ae19f107232e865591f7e49b195e0c090730dc0a25c7b
                                              • Instruction Fuzzy Hash: 20D0C931780311BBE664FB70AC1FF966A54BB55B51F000829B649AE1D0E9E0A844D754