Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4LbgdNQgna.exe

Overview

General Information

Sample name:4LbgdNQgna.exe
renamed because original name is a hash value
Original sample name:35931dde3f9e60ae4cbf22e5348bc4afca8d6145137a27a25216edba8b66f68e.exe
Analysis ID:1588884
MD5:db18c7473665c8c3c28abef8107ac4e8
SHA1:ac8826df8832d3cf3825d1523f5d605c9ff22ea6
SHA256:35931dde3f9e60ae4cbf22e5348bc4afca8d6145137a27a25216edba8b66f68e
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 4LbgdNQgna.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\4LbgdNQgna.exe" MD5: DB18C7473665C8C3C28ABEF8107AC4E8)
    • reindulgence.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\4LbgdNQgna.exe" MD5: DB18C7473665C8C3C28ABEF8107AC4E8)
      • RegSvcs.exe (PID: 7692 cmdline: "C:\Users\user\Desktop\4LbgdNQgna.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 7980 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • reindulgence.exe (PID: 8032 cmdline: "C:\Users\user\AppData\Local\lecheries\reindulgence.exe" MD5: DB18C7473665C8C3C28ABEF8107AC4E8)
      • RegSvcs.exe (PID: 8076 cmdline: "C:\Users\user\AppData\Local\lecheries\reindulgence.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
        • 0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
        • 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
        • 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
        • 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
        • 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
        • 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
        • 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
        • 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
        00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
        • 0x3196b:$s2: GetPrivateProfileString
        • 0x31018:$s3: get_OSFullName
        • 0x32706:$s5: remove_Key
        • 0x328b3:$s5: remove_Key
        • 0x33795:$s6: FtpWebRequest
        • 0x34717:$s7: logins
        • 0x34c89:$s7: logins
        • 0x3798e:$s7: logins
        • 0x37a4c:$s7: logins
        • 0x393a1:$s7: logins
        • 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
        Click to see the 22 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.reindulgence.exe.12c0000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          2.2.reindulgence.exe.12c0000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            2.2.reindulgence.exe.12c0000.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
            • 0x32935:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
            • 0x329a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
            • 0x32a31:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
            • 0x32ac3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
            • 0x32b2d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
            • 0x32b9f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
            • 0x32c35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
            • 0x32cc5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
            2.2.reindulgence.exe.12c0000.1.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
            • 0x2fb6b:$s2: GetPrivateProfileString
            • 0x2f218:$s3: get_OSFullName
            • 0x30906:$s5: remove_Key
            • 0x30ab3:$s5: remove_Key
            • 0x31995:$s6: FtpWebRequest
            • 0x32917:$s7: logins
            • 0x32e89:$s7: logins
            • 0x35b8e:$s7: logins
            • 0x35c4c:$s7: logins
            • 0x375a1:$s7: logins
            • 0x367e6:$s9: 1.85 (Hash, version 2, native byte-order)
            3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 18 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" , ProcessId: 7980, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" , ProcessId: 7980, ProcessName: wscript.exe

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\lecheries\reindulgence.exe, ProcessId: 7644, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 3.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeReversingLabs: Detection: 63%
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeVirustotal: Detection: 70%Perma Link
              Multi AV Scanner detection for submitted file
              Source: 4LbgdNQgna.exeVirustotal: Detection: 70%Perma Link
              Source: 4LbgdNQgna.exeReversingLabs: Detection: 63%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: 4LbgdNQgna.exeJoe Sandbox ML: detected
              Source: 4LbgdNQgna.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: Binary string: wntdll.pdbUGP source: reindulgence.exe, 00000002.00000003.1441480889.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000002.00000003.1442173904.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.1585905263.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.1584516971.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: reindulgence.exe, 00000002.00000003.1441480889.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000002.00000003.1442173904.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.1585905263.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.1584516971.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,6_2_00436ADE
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_00452126
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,6_2_0045C999
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00434BEE
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0045DD7C FindFirstFileW,FindClose,6_2_0045DD7C
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,6_2_0044BD29
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,6_2_00436D2D
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00442E1F
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_00475FE5
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_0044BF8D

              Networking

              barindex
              Yara detected Generic Downloader
              Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.reindulgence.exe.12c0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.reindulgence.exe.b70000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewIP Address: 162.241.62.63 162.241.62.63
              Source: unknownDNS query: name: ip-api.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,0_2_0044289D
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: ftp.antoniomayol.com
              Source: RegSvcs.exe, 00000003.00000002.1590094587.0000000002A0E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2679851570.00000000032DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://antoniomayol.com
              Source: RegSvcs.exe, 00000003.00000002.1590094587.0000000002A0E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2679851570.00000000032DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.antoniomayol.com
              Source: RegSvcs.exe, 00000003.00000002.1590094587.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2679851570.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
              Source: reindulgence.exe, 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1586802613.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1587368704.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1590094587.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2679022802.000000000156B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2679851570.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: RegSvcs.exe, 00000003.00000002.1590094587.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2679851570.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: reindulgence.exe, 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1586802613.0000000000402000.00000040.80000000.00040000.00000000.sdmp, reindulgence.exe, 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_00459FFF
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,0_2_00456354
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,0_2_0047C08E
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_0047C08E

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.reindulgence.exe.12c0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 2.2.reindulgence.exe.12c0000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.reindulgence.exe.b70000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.reindulgence.exe.b70000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 2.2.reindulgence.exe.12c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 2.2.reindulgence.exe.12c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 6.2.reindulgence.exe.b70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 6.2.reindulgence.exe.b70000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,0_2_0047C08E
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004331D9 ClientToScreen,NtdllDialogWndProc_W,0_2_004331D9
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0047E1FA NtdllDialogWndProc_W,0_2_0047E1FA
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0043323E NtdllDialogWndProc_W,0_2_0043323E
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0046F2B0 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_0046F2B0
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0046F50B NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_0046F50B
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0045058D GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,0_2_0045058D
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00469681 PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00469681
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0046F749 NtdllDialogWndProc_W,0_2_0046F749
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00447870 GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,0_2_00447870
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0044782B NtdllDialogWndProc_W,0_2_0044782B
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0044096A NtdllDialogWndProc_W,0_2_0044096A
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0044796B GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,0_2_0044796B
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00440938 NtdllDialogWndProc_W,0_2_00440938
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00469995 NtdllDialogWndProc_W,NtdllDialogWndProc_W,0_2_00469995
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0044099C NtdllDialogWndProc_W,0_2_0044099C
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00440ADF NtdllDialogWndProc_W,0_2_00440ADF
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00447A87 SendMessageW,NtdllDialogWndProc_W,0_2_00447A87
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00447B15 NtdllDialogWndProc_W,0_2_00447B15
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00440B39 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,0_2_00440B39
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00454C69 NtdllDialogWndProc_W,0_2_00454C69
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00454C1B NtdllDialogWndProc_W,0_2_00454C1B
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00461EB0 NtdllDialogWndProc_W,NtdllDialogWndProc_W,0_2_00461EB0
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00401108 NtdllDefWindowProc_W,6_2_00401108
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_0047C08E
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0040116E NtdllDefWindowProc_W,6_2_0040116E
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00401108 NtdllDefWindowProc_W,6_2_00401108
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004331D9 ClientToScreen,NtdllDialogWndProc_W,6_2_004331D9
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0047E1FA NtdllDialogWndProc_W,6_2_0047E1FA
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0043323E GetWindowLongW,NtdllDialogWndProc_W,6_2_0043323E
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0046F2B0 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,6_2_0046F2B0
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0046F50B NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,6_2_0046F50B
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0045058D GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,6_2_0045058D
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00469681 PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,6_2_00469681
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0046F749 NtdllDialogWndProc_W,6_2_0046F749
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00447870 GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,6_2_00447870
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0044782B NtdllDialogWndProc_W,6_2_0044782B
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0044096A NtdllDialogWndProc_W,6_2_0044096A
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0044796B GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,6_2_0044796B
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00440938 NtdllDialogWndProc_W,6_2_00440938
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00469995 NtdllDialogWndProc_W,NtdllDialogWndProc_W,6_2_00469995
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0044099C NtdllDialogWndProc_W,6_2_0044099C
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00440ADF NtdllDialogWndProc_W,6_2_00440ADF
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00447A87 SendMessageW,NtdllDialogWndProc_W,6_2_00447A87
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00447B15 NtdllDialogWndProc_W,6_2_00447B15
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00440B39 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,6_2_00440B39
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00454C69 NtdllDialogWndProc_W,6_2_00454C69
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00454C1B NtdllDialogWndProc_W,6_2_00454C1B
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00461EB0 NtdllDialogWndProc_W,NtdllDialogWndProc_W,6_2_00461EB0
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00434D50
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,74BC5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_004461ED
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,6_2_004364AA
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004120380_2_00412038
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004271610_2_00427161
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0047E1FA0_2_0047E1FA
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004212BE0_2_004212BE
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004433900_2_00443390
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004433910_2_00443391
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0041A46B0_2_0041A46B
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0041240C0_2_0041240C
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004465660_2_00446566
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004045E00_2_004045E0
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0041D7500_2_0041D750
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004037E00_2_004037E0
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004278590_2_00427859
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004128180_2_00412818
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0040F8900_2_0040F890
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0042397B0_2_0042397B
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00409A400_2_00409A40
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00411B630_2_00411B63
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0047CBF00_2_0047CBF0
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0044EBBC0_2_0044EBBC
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00412C380_2_00412C38
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0044ED9A0_2_0044ED9A
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00423EBF0_2_00423EBF
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00424F700_2_00424F70
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0041AF0D0_2_0041AF0D
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_018436900_2_01843690
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 2_2_012B36902_2_012B3690
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E1B48A3_2_00E1B48A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E14A883_2_00E14A88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E1AD983_2_00E1AD98
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E13E703_2_00E13E70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E141B83_2_00E141B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06217E503_2_06217E50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062166C03_2_062166C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062124403_2_06212440
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062152703_2_06215270
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0621C2703_2_0621C270
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0621B3183_2_0621B318
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062177703_2_06217770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0621E4783_2_0621E478
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062100403_2_06210040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062159C03_2_062159C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0621001F3_2_0621001F
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004120386_2_00412038
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004271616_2_00427161
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0047E1FA6_2_0047E1FA
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004212BE6_2_004212BE
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004433906_2_00443390
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004433916_2_00443391
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0041A46B6_2_0041A46B
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0041240C6_2_0041240C
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004465666_2_00446566
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004045E06_2_004045E0
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0041D7506_2_0041D750
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004037E06_2_004037E0
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004278596_2_00427859
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004128186_2_00412818
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0040F8906_2_0040F890
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0042397B6_2_0042397B
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00409A406_2_00409A40
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00411B636_2_00411B63
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0047CBF06_2_0047CBF0
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0044EBBC6_2_0044EBBC
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00412C386_2_00412C38
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0044ED9A6_2_0044ED9A
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00423EBF6_2_00423EBF
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00424F706_2_00424F70
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0041AF0D6_2_0041AF0D
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00B636906_2_00B63690
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01484A887_2_01484A88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148AD987_2_0148AD98
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148ECD87_2_0148ECD8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01483E707_2_01483E70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014841B87_2_014841B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05C6C4807_2_05C6C480
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05C6AE5C7_2_05C6AE5C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A166C07_2_06A166C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A156707_2_06A15670
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A124407_2_06A12440
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A1C2707_2_06A1C270
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A1B3187_2_06A1B318
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A17E507_2_06A17E50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A177707_2_06A17770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A1E4787_2_06A1E478
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A100407_2_06A10040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A15DC07_2_06A15DC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A100337_2_06A10033
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A100067_2_06A10006
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: String function: 00445975 appears 65 times
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: String function: 0041171A appears 37 times
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: String function: 0041718C appears 45 times
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: String function: 0040E6D0 appears 35 times
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: String function: 00445975 appears 65 times
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: String function: 0041171A appears 37 times
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: String function: 0041718C appears 45 times
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: String function: 0040E6D0 appears 35 times
              Source: 4LbgdNQgna.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 2.2.reindulgence.exe.12c0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 2.2.reindulgence.exe.12c0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.reindulgence.exe.b70000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.reindulgence.exe.b70000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 2.2.reindulgence.exe.12c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 2.2.reindulgence.exe.12c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 6.2.reindulgence.exe.b70000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 6.2.reindulgence.exe.b70000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 4LbgdNQgna.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9934512867647058
              Source: reindulgence.exe.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9934512867647058
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0044AF5C GetLastError,FormatMessageW,0_2_0044AF5C
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464422
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,6_2_00464422
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,6_2_004364AA
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D517
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,0_2_0043701F
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,0_2_0047A999
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043614F
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeFile created: C:\Users\user\AppData\Local\lecheriesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeFile created: C:\Users\user\AppData\Local\Temp\aut2BE6.tmpJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs"
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCommand line argument: Wu0_2_0040D7F0
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCommand line argument: Wu6_2_0040D7F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 4LbgdNQgna.exeVirustotal: Detection: 70%
              Source: 4LbgdNQgna.exeReversingLabs: Detection: 63%
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeFile read: C:\Users\user\Desktop\4LbgdNQgna.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\4LbgdNQgna.exe "C:\Users\user\Desktop\4LbgdNQgna.exe"
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeProcess created: C:\Users\user\AppData\Local\lecheries\reindulgence.exe "C:\Users\user\Desktop\4LbgdNQgna.exe"
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\4LbgdNQgna.exe"
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\lecheries\reindulgence.exe "C:\Users\user\AppData\Local\lecheries\reindulgence.exe"
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\lecheries\reindulgence.exe"
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeProcess created: C:\Users\user\AppData\Local\lecheries\reindulgence.exe "C:\Users\user\Desktop\4LbgdNQgna.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\4LbgdNQgna.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\lecheries\reindulgence.exe "C:\Users\user\AppData\Local\lecheries\reindulgence.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\lecheries\reindulgence.exe" Jump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
              Source: Binary string: wntdll.pdbUGP source: reindulgence.exe, 00000002.00000003.1441480889.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000002.00000003.1442173904.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.1585905263.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.1584516971.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: reindulgence.exe, 00000002.00000003.1441480889.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000002.00000003.1442173904.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.1585905263.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.1584516971.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004171D1 push ecx; ret 0_2_004171E4
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004171D1 push ecx; ret 6_2_004171E4
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeFile created: C:\Users\user\AppData\Local\lecheries\reindulgence.exeJump to dropped file

              Boot Survival

              barindex
              Drops VBS files to the startup folder
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbsJump to dropped file
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbsJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbsJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004772DE
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_004772DE
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_004375B0
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: reindulgence.exe PID: 7644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: reindulgence.exe PID: 8032, type: MEMORYSTR
              Check if machine is in data center or colocation facility
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Contains functionality to detect sleep reduction / modifications
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004440780_2_00444078
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004440786_2_00444078
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeAPI/Special instruction interceptor: Address: 12B32B4
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeAPI/Special instruction interceptor: Address: B632B4
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: 4LbgdNQgna.exe, 00000000.00000002.1427990588.0000000002E8D000.00000004.00000020.00020000.00000000.sdmp, 4LbgdNQgna.exe, 00000000.00000003.1415358976.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, 4LbgdNQgna.exe, 00000000.00000003.1414654428.0000000002E71000.00000004.00000020.00020000.00000000.sdmp, 4LbgdNQgna.exe, 00000000.00000003.1419886821.0000000002E8D000.00000004.00000020.00020000.00000000.sdmp, 4LbgdNQgna.exe, 00000000.00000003.1415419698.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, reindulgence.exe, 00000002.00000003.1428263532.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, reindulgence.exe, 00000002.00000003.1435231103.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, reindulgence.exe, 00000002.00000002.1447510145.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, reindulgence.exe, 00000002.00000003.1428919219.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, reindulgence.exe, 00000002.00000003.1429020063.0000000002AE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
              Source: reindulgence.exe, 00000006.00000003.1572582155.0000000003691000.00000004.00000020.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000002.1587886366.00000000036AD000.00000004.00000020.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.1574119479.00000000036B0000.00000004.00000020.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.1573923541.00000000036B0000.00000004.00000020.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.1577876828.00000000036AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEA
              Source: reindulgence.exe, 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1586802613.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1590094587.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2679851570.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598667Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598514Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598312Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598187Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598078Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597859Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597749Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597629Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597509Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597281Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597172Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597062Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596734Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596625Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596516Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596266Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595867Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595750Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595634Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595515Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595405Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595294Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594828Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594375Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594266Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599563Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598969Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597563Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596438Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596313Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596188Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596078Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595969Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595734Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595625Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595516Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595406Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595297Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595188Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595063Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7845Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1995Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1930Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7916Jump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-86132
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-84747
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeAPI coverage: 3.3 %
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeAPI coverage: 3.3 %
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,6_2_00436ADE
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_00452126
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,6_2_0045C999
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00434BEE
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0045DD7C FindFirstFileW,FindClose,6_2_0045DD7C
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,6_2_0044BD29
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,6_2_00436D2D
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00442E1F
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_00475FE5
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_0044BF8D
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598667Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598514Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598312Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598187Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598078Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597859Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597749Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597629Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597509Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597281Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597172Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597062Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596734Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596625Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596516Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596266Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595867Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595750Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595634Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595515Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595405Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595294Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594828Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594375Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594266Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599563Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598969Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597563Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596438Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596313Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596188Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596078Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595969Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595734Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595625Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595516Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595406Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595297Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595188Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595063Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594844Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
              Source: RegSvcs.exe, 00000007.00000002.2679851570.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
              Source: RegSvcs.exe, 00000007.00000002.2679851570.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: reindulgence.exe, 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1586802613.0000000000402000.00000040.80000000.00040000.00000000.sdmp, reindulgence.exe, 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
              Source: reindulgence.exe, 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
              Source: RegSvcs.exe, 00000003.00000002.1593074516.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2684798956.0000000006453000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeAPI call chain: ExitProcess graph end nodegraph_0-84639
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeAPI call chain: ExitProcess graph end nodegraph_0-84718
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeAPI call chain: ExitProcess graph end node

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E17070 CheckRemoteDebuggerPresent,3_2_00E17070
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0045A259 BlockInput,0_2_0045A259
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_01843580 mov eax, dword ptr fs:[00000030h]0_2_01843580
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_01843520 mov eax, dword ptr fs:[00000030h]0_2_01843520
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_01841EB0 mov eax, dword ptr fs:[00000030h]0_2_01841EB0
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 2_2_012B3520 mov eax, dword ptr fs:[00000030h]2_2_012B3520
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 2_2_012B1EB0 mov eax, dword ptr fs:[00000030h]2_2_012B1EB0
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 2_2_012B3580 mov eax, dword ptr fs:[00000030h]2_2_012B3580
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00B63580 mov eax, dword ptr fs:[00000030h]6_2_00B63580
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00B63520 mov eax, dword ptr fs:[00000030h]6_2_00B63520
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00B61EB0 mov eax, dword ptr fs:[00000030h]6_2_00B61EB0
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00426DA1
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0042202E SetUnhandledExceptionFilter,0_2_0042202E
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004230F5
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421FA7
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0042202E SetUnhandledExceptionFilter,6_2_0042202E
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_004230F5
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00417D93
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00421FA7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 654008Jump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EA2008Jump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0043916A LogonUserW,0_2_0043916A
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_00436431
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\4LbgdNQgna.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\lecheries\reindulgence.exe "C:\Users\user\AppData\Local\lecheries\reindulgence.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\lecheries\reindulgence.exe" Jump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00445DD3
              Source: 4LbgdNQgna.exe, reindulgence.exeBinary or memory string: Shell_TrayWnd
              Source: 4LbgdNQgna.exe, 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmp, reindulgence.exe, 00000002.00000002.1445949742.0000000000482000.00000040.00000001.01000000.00000004.sdmp, reindulgence.exe, 00000006.00000002.1586700471.0000000000482000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_00410D10 cpuid 0_2_00410D10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004223BC
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004711D2 GetUserNameW,0_2_004711D2
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0042039F
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 2.2.reindulgence.exe.12c0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.reindulgence.exe.b70000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.reindulgence.exe.12c0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.reindulgence.exe.b70000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1586802613.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1590094587.0000000002A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2679851570.00000000032C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2679851570.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1590094587.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: reindulgence.exe PID: 7644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7692, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: reindulgence.exe PID: 8032, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8076, type: MEMORYSTR
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: reindulgence.exe, 00000006.00000002.1586700471.0000000000482000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
              Source: reindulgence.exeBinary or memory string: WIN_XP
              Source: reindulgence.exeBinary or memory string: WIN_XPe
              Source: reindulgence.exeBinary or memory string: WIN_VISTA
              Source: reindulgence.exeBinary or memory string: WIN_7
              Source: Yara matchFile source: 2.2.reindulgence.exe.12c0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.reindulgence.exe.b70000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.reindulgence.exe.12c0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.reindulgence.exe.b70000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1586802613.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1590094587.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: reindulgence.exe PID: 7644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7692, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: reindulgence.exe PID: 8032, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8076, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 2.2.reindulgence.exe.12c0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.reindulgence.exe.b70000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.reindulgence.exe.12c0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.reindulgence.exe.b70000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1586802613.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1590094587.0000000002A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2679851570.00000000032C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2679851570.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1590094587.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: reindulgence.exe PID: 7644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7692, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: reindulgence.exe PID: 8032, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8076, type: MEMORYSTR
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004741BB
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,0_2_0046483C
              Source: C:\Users\user\Desktop\4LbgdNQgna.exeCode function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0047AD92
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_004741BB
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,6_2_0046483C
              Source: C:\Users\user\AppData\Local\lecheries\reindulgence.exeCode function: 6_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,6_2_0047AD92

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information111
              Scripting              		2
              Valid Accounts              		221
              Windows Management Instrumentation              		111
              Scripting              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts3
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		21
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol2
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Command and Scripting Interpreter              		2
              Valid Accounts              		2
              Valid Accounts              		21
              Obfuscated Files or Information              		1
              Credentials in Registry              		2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron2
              Registry Run Keys / Startup Folder              		21
              Access Token Manipulation              		11
              Software Packing              		NTDS138
              System Information Discovery              		Distributed Component Object Model21
              Input Capture              		2
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
              Process Injection              		1
              DLL Side-Loading              		LSA Secrets841
              Security Software Discovery              		SSH3
              Clipboard Data              		Fallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
              Registry Run Keys / Startup Folder              		1
              Masquerading              		Cached Domain Credentials231
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Valid Accounts              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job231
              Virtualization/Sandbox Evasion              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
              Process Injection              		Network Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588884 Sample: 4LbgdNQgna.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 30 ip-api.com 2->30 32 ftp.antoniomayol.com 2->32 34 antoniomayol.com 2->34 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 8 other signatures 2->46 8 4LbgdNQgna.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\reindulgence.exe, PE32 8->26 dropped 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->62 64 Contains functionality to detect sleep reduction / modifications 8->64 14 reindulgence.exe 2 8->14         started        66 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->66 18 reindulgence.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\reindulgence.vbs, data 14->28 dropped 68 Multi AV Scanner detection for dropped file 14->68 70 Machine Learning detection for dropped file 14->70 72 Drops VBS files to the startup folder 14->72 80 2 other signatures 14->80 20 RegSvcs.exe 15 2 14->20         started        74 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->74 76 Writes to foreign memory regions 18->76 78 Maps a DLL or memory area into another process 18->78 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 antoniomayol.com 162.241.62.63, 21, 49707, 49711 UNIFIEDLAYER-AS-1US United States 20->36 38 ip-api.com 208.95.112.1, 49706, 49710, 80 TUT-ASUS United States 20->38 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->48 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->52 54 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 20->54 56 Tries to steal Mail credentials (via file / registry access) 24->56 58 Tries to harvest and steal ftp login credentials 24->58 60 Tries to harvest and steal browser information (history, passwords, etc) 24->60 signatures12

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              4LbgdNQgna.exe70%VirustotalBrowse
              4LbgdNQgna.exe63%ReversingLabsWin32.Trojan.AgentTesla
              4LbgdNQgna.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\lecheries\reindulgence.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\lecheries\reindulgence.exe63%ReversingLabsWin32.Trojan.AgentTesla
              C:\Users\user\AppData\Local\lecheries\reindulgence.exe70%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              antoniomayol.com
              		162.241.62.63
              		truefalse
                		high
                ip-api.com
                		208.95.112.1
                		truefalse
                  		high
                  ftp.antoniomayol.com
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://ip-api.com/line/?fields=hostingfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://antoniomayol.comRegSvcs.exe, 00000003.00000002.1590094587.0000000002A0E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2679851570.00000000032DE000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://ftp.antoniomayol.comRegSvcs.exe, 00000003.00000002.1590094587.0000000002A0E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2679851570.00000000032DE000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://account.dyn.com/reindulgence.exe, 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1586802613.0000000000402000.00000040.80000000.00040000.00000000.sdmp, reindulgence.exe, 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.1590094587.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2679851570.000000000328C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://ip-api.comRegSvcs.exe, 00000003.00000002.1590094587.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2679851570.000000000328C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                208.95.112.1
                                		ip-api.comUnited States
                                		53334TUT-ASUSfalse
                                162.241.62.63
                                		antoniomayol.comUnited States
                                		46606UNIFIEDLAYER-AS-1USfalse

                                General Information

                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1588884
                                Start date and time:2025-01-11 06:41:12 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 7m 12s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:11
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:4LbgdNQgna.exe
                                renamed because original name is a hash value
                                Original Sample Name:35931dde3f9e60ae4cbf22e5348bc4afca8d6145137a27a25216edba8b66f68e.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 44
                                • Number of non-executed functions: 301
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 172.202.163.200
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                00:42:12API Interceptor1960157x Sleep call for process: RegSvcs.exe modified
                                06:42:14AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                208.95.112.1toIuQILmr1.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                LfZAz7DQzo.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                Q5QrxfKnFA.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                J8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                NUGMrDcg4v.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                162.241.62.63Order 122001-220 guanzo.exeGet hashmaliciousFormBookBrowse
                                • www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ip-api.comtoIuQILmr1.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                LfZAz7DQzo.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Q5QrxfKnFA.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                J8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                NUGMrDcg4v.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                UNIFIEDLAYER-AS-1UStoIuQILmr1.exeGet hashmaliciousAgentTeslaBrowse
                                • 162.241.62.63
                                LfZAz7DQzo.exeGet hashmaliciousAgentTeslaBrowse
                                • 162.241.62.63
                                zdmZjYqz44.exeGet hashmaliciousAgentTeslaBrowse
                                • 108.179.234.136
                                ZeAX5i7cGB.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 50.87.139.143
                                iNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                • 192.254.225.136
                                RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                                • 162.241.62.63
                                ru52XOQ1p7.exeGet hashmaliciousAgentTeslaBrowse
                                • 192.254.186.165
                                28uMwHvbTD.exeGet hashmaliciousAgentTeslaBrowse
                                • 162.241.62.63
                                https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                • 162.241.149.91
                                https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                • 162.241.149.91
                                TUT-ASUStoIuQILmr1.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                LfZAz7DQzo.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Q5QrxfKnFA.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                J8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                NUGMrDcg4v.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Temp\aut2BE6.tmp

                                Download File
                                Process:C:\Users\user\Desktop\4LbgdNQgna.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):159688
                                Entropy (8bit):7.949074388103173
                                Encrypted:false
                                SSDEEP:3072:Aw/xJQ9MkpZV920GmBtUxkLYrJMZstECOUr:5wxn2eBtUxFlMkOUr
                                MD5:D1812E501C2C89C5371E234B0112A874
                                SHA1:C04400E0470962FA182E697C5CFE23DCCC3058B5
                                SHA-256:0F1DC72E81AECD11F4EEBF6140610A501EF9BDC5597B7585FCCF3C35B322A5B2
                                SHA-512:E260384DC2D7C79B079A1A14D79B8BCBC209A37775BCB638A725E6C0B28E32C60C1A665F02F596793C1C01DE4DCC390DB7A8B76208EBA288C6741939F65AC0AA
                                Malicious:false
                                Reputation:low
                                Preview:EA06..........S.P.s}O2.L..&5....7.N*.j|..d....i.2.Q...8.g.0...S..>..2...3.x.f.%..&....!.L.5...kh....)..#Y.\...^w\.Jo...J......aV..h3:'..*.d.^.:..i..[.S.L.......D\...S..H.B...})..P.[3..mX..z.....Z.#eN.P*.....R........dv.........P..@8~ ...Q..}|.".`.....D..g...Zg..2..E*....I6.iV....L-n.A..%.7i.2Y..P.S@.".=..:3:.N..2x&....Z.1.^$3Yur.V....j...5..=T..o.!1.E@+.8....eG..Jd.V..fUi..3..)..Bn....Ss..~K...\%..-No...)..._..e=..b.].Me....=..u.N.BG5..j8.......|...u.T.U.......%....a..Y...u7....w)$..W|.ogo1&....W....c..]v.g..H..M..I...%.X.. .J..9...|.U94...s..f._....7.Z.u..r.%.Y|...v.J...z}..\..U.2...AR.."..$.....p....\..D.8H...`..-`.D...}.....,...ML.....=.V.q..........L..2.f.^...7.......?'.E".......k...s.Z..y.".S..ku...........Q....\....a".......x.R.f#....g....T&=...o.k..M.[.P....G.1...<..:.>..k.[...b......ip.. q.E.yW...b.@.L... .cF..kszt...Y..j...#.R&q..Bk&..i.;4.V.S,..e.C5.V)....X..iQ...\.....]B.5.G.t.T.b..Z..Y.>.V...UJ..k3..0k$..1....ju....I..{.j.A..

                                C:\Users\user\AppData\Local\Temp\aut3126.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\lecheries\reindulgence.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):159688
                                Entropy (8bit):7.949074388103173
                                Encrypted:false
                                SSDEEP:3072:Aw/xJQ9MkpZV920GmBtUxkLYrJMZstECOUr:5wxn2eBtUxFlMkOUr
                                MD5:D1812E501C2C89C5371E234B0112A874
                                SHA1:C04400E0470962FA182E697C5CFE23DCCC3058B5
                                SHA-256:0F1DC72E81AECD11F4EEBF6140610A501EF9BDC5597B7585FCCF3C35B322A5B2
                                SHA-512:E260384DC2D7C79B079A1A14D79B8BCBC209A37775BCB638A725E6C0B28E32C60C1A665F02F596793C1C01DE4DCC390DB7A8B76208EBA288C6741939F65AC0AA
                                Malicious:false
                                Reputation:low
                                Preview:EA06..........S.P.s}O2.L..&5....7.N*.j|..d....i.2.Q...8.g.0...S..>..2...3.x.f.%..&....!.L.5...kh....)..#Y.\...^w\.Jo...J......aV..h3:'..*.d.^.:..i..[.S.L.......D\...S..H.B...})..P.[3..mX..z.....Z.#eN.P*.....R........dv.........P..@8~ ...Q..}|.".`.....D..g...Zg..2..E*....I6.iV....L-n.A..%.7i.2Y..P.S@.".=..:3:.N..2x&....Z.1.^$3Yur.V....j...5..=T..o.!1.E@+.8....eG..Jd.V..fUi..3..)..Bn....Ss..~K...\%..-No...)..._..e=..b.].Me....=..u.N.BG5..j8.......|...u.T.U.......%....a..Y...u7....w)$..W|.ogo1&....W....c..]v.g..H..M..I...%.X.. .J..9...|.U94...s..f._....7.Z.u..r.%.Y|...v.J...z}..\..U.2...AR.."..$.....p....\..D.8H...`..-`.D...}.....,...ML.....=.V.q..........L..2.f.^...7.......?'.E".......k...s.Z..y.".S..ku...........Q....\....a".......x.R.f#....g....T&=...o.k..M.[.P....G.1...<..:.>..k.[...b......ip.. q.E.yW...b.@.L... .cF..kszt...Y..j...#.R&q..Bk&..i.;4.V.S,..e.C5.V)....X..iQ...\.....]B.5.G.t.T.b..Z..Y.>.V...UJ..k3..0k$..1....ju....I..{.j.A..

                                C:\Users\user\AppData\Local\Temp\aut698B.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\lecheries\reindulgence.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):159688
                                Entropy (8bit):7.949074388103173
                                Encrypted:false
                                SSDEEP:3072:Aw/xJQ9MkpZV920GmBtUxkLYrJMZstECOUr:5wxn2eBtUxFlMkOUr
                                MD5:D1812E501C2C89C5371E234B0112A874
                                SHA1:C04400E0470962FA182E697C5CFE23DCCC3058B5
                                SHA-256:0F1DC72E81AECD11F4EEBF6140610A501EF9BDC5597B7585FCCF3C35B322A5B2
                                SHA-512:E260384DC2D7C79B079A1A14D79B8BCBC209A37775BCB638A725E6C0B28E32C60C1A665F02F596793C1C01DE4DCC390DB7A8B76208EBA288C6741939F65AC0AA
                                Malicious:false
                                Reputation:low
                                Preview:EA06..........S.P.s}O2.L..&5....7.N*.j|..d....i.2.Q...8.g.0...S..>..2...3.x.f.%..&....!.L.5...kh....)..#Y.\...^w\.Jo...J......aV..h3:'..*.d.^.:..i..[.S.L.......D\...S..H.B...})..P.[3..mX..z.....Z.#eN.P*.....R........dv.........P..@8~ ...Q..}|.".`.....D..g...Zg..2..E*....I6.iV....L-n.A..%.7i.2Y..P.S@.".=..:3:.N..2x&....Z.1.^$3Yur.V....j...5..=T..o.!1.E@+.8....eG..Jd.V..fUi..3..)..Bn....Ss..~K...\%..-No...)..._..e=..b.].Me....=..u.N.BG5..j8.......|...u.T.U.......%....a..Y...u7....w)$..W|.ogo1&....W....c..]v.g..H..M..I...%.X.. .J..9...|.U94...s..f._....7.Z.u..r.%.Y|...v.J...z}..\..U.2...AR.."..$.....p....\..D.8H...`..-`.D...}.....,...ML.....=.V.q..........L..2.f.^...7.......?'.E".......k...s.Z..y.".S..ku...........Q....\....a".......x.R.f#....g....T&=...o.k..M.[.P....G.1...<..:.>..k.[...b......ip.. q.E.yW...b.@.L... .cF..kszt...Y..j...#.R&q..Bk&..i.;4.V.S,..e.C5.V)....X..iQ...\.....]B.5.G.t.T.b..Z..Y.>.V...UJ..k3..0k$..1....ju....I..{.j.A..

                                C:\Users\user\AppData\Local\Temp\springmaker

                                Download File
                                Process:C:\Users\user\Desktop\4LbgdNQgna.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):245248
                                Entropy (8bit):6.696365122733968
                                Encrypted:false
                                SSDEEP:6144:9EjwW1zMDjC/7pg3+FEfmvFWBcHvtG6vmjdfefy3J7y1c:9wzpTF1vFo+1TKfdZ1
                                MD5:E8D41FA1C1D78EA2A2AA75688A23FA11
                                SHA1:8D271F7175B3F367873AB61C9D1ADA6449C01C3E
                                SHA-256:33D698A0F363F220A366EB5FE84D5D708B1407928A795DCF10075FA8C6396B9B
                                SHA-512:78B094B428C42125AB75240FEBE82788DF523AED48FABD51C0C8E9E0513ED4B4AB858FA59C8051B6E7DA23D088ABC5C7675925F4DB2FBE7940BDD3992761E93C
                                Malicious:false
                                Reputation:low
                                Preview:u..O20VSTB37..LL.P1XWAH7.8PVO10VSPB37V3LLQP1XWAH7N8PVO10VSPB.7V3BS.^1.^.i.Ot.w.YY%s 0\P$R!l21_685hU+."#!.Y8s..`.;\().]<RsAH7N8PV.t0V.QA3D.y*LQP1XWAH.N:Q]N:0V.SB3?V3LLQPo.TAH.N8P.L10V.PB.7V3NLQT1XWAH7N<PVO10VSPb77V1LLQP1XUA..N8@VO!0VSPR37F3LLQP1HWAH7N8PVO10Z.SB|7V3L.RPw]WAH7N8PVO10VSPB37V3LHQ\1XWAH7N8PVO10VSPB37V3LLQP1XWAH7N8PVO10VSPB37V3LLQP1XwAH?N8PVO10VSPB;.V3.LQP1XWAH7N8~"*IDVSP&.4V3lLQP.[WAJ7N8PVO10VSPB37v3L,."B*4AH7.=PVO.3VSVB37.0LLQP1XWAH7N8P.O1px!5.\TV3@LQP1XSAH5N8P.L10VSPB37V3LLQ.1X.AH7N8PVO10VSPB37..OLQP1X.AH7L8UV.2V;eC34V3LMQP7XWAH7N8PVO10VSPB37V3LLQP1XWAH7N8PVO10VSPB37V3LLQM....pp-hES7.u.%.4.._..)..X.].5,..w=.....#5..Q.>h..>...:.8S*Q.....t,Z!?0.6g8/.M..m.kr$.x.P].6..&e.&1j.y...u....8"m...$..4.%./H :*.c7510Z.T.MLQP1........?7zj{P_\.%.e....J/....VO1TVSP037VRLLQ.1XW.H7NVPVOO0VS.B37.3LL.P1X`AH7k8PV"10VwPB3IV3L.,_>..!D..PVO10c..r.Z....g...w9.0c2n...2...i2..C$.'r....9..;..&b=Us.k0W5HISW5[[|F|...wM54SQWF0;k=......q......'...).>37V3LL.P1.WAH..8.VO1.V.P.7V3.Q.1.W..N

                                C:\Users\user\AppData\Local\lecheries\reindulgence.exe

                                Download File
                                Process:C:\Users\user\Desktop\4LbgdNQgna.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                Category:dropped
                                Size (bytes):573168
                                Entropy (8bit):7.568601531907528
                                Encrypted:false
                                SSDEEP:12288:B9BvctM85t35JPNJj2WzoRLQYRYzmYhnc9skqXatMdJ8s8:BD0tM85tbNJjldeYiYhncGZqtoJ89
                                MD5:DB18C7473665C8C3C28ABEF8107AC4E8
                                SHA1:AC8826DF8832D3CF3825D1523F5D605C9FF22EA6
                                SHA-256:35931DDE3F9E60AE4CBF22E5348BC4AFCA8D6145137A27A25216EDBA8B66F68E
                                SHA-512:A44F2DEC7DEC52ED499C7A05DEE8960C390A168F82531D13371F45D0E6185FE9E6C99FB384E827B9D087756109C6BB0D2697D2B097E0BFDB193A064E0022B8D0
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 63%
                                • Antivirus: Virustotal, Detection: 70%, Browse
                                Reputation:low
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L.....K..........#...... ........................@..........................P................@.......@.....................PB..........P...........................................................................................................UPX0....................................UPX1..... ..........................@....rsrc................"..............@..............................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs

                                Download File
                                Process:C:\Users\user\AppData\Local\lecheries\reindulgence.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):286
                                Entropy (8bit):3.3673704534948348
                                Encrypted:false
                                SSDEEP:6:DMM8lfm3OOQdUfclwL1UEZ+lX1RakXwrCaaB6nriIM8lfQVn:DsO+vNlwBQ1ph4mA2n
                                MD5:F6205F2D0CA028CE1141815C083CE063
                                SHA1:A340F553F78127DAD332FA64BE615E655EB39695
                                SHA-256:9E817DB37F22B8C0A72AC548AB93779EFD83AE669D5B317022CF4E5EB66E9A99
                                SHA-512:FD46758A72B5A13EED0B7538541CE81CBF26D26CFE7D8F2FF564578EECC32A9013904AC7D82710ABA24EA39CDB4A52A1B5920D01B47408A3A8A9014D81523220
                                Malicious:true
                                Reputation:low
                                Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.l.e.c.h.e.r.i.e.s.\.r.e.i.n.d.u.l.g.e.n.c.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                Entropy (8bit):7.568601531907528
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.39%
                                • UPX compressed Win32 Executable (30571/9) 0.30%
                                • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                File name:4LbgdNQgna.exe
                                File size:573'168 bytes
                                MD5:db18c7473665c8c3c28abef8107ac4e8
                                SHA1:ac8826df8832d3cf3825d1523f5d605c9ff22ea6
                                SHA256:35931dde3f9e60ae4cbf22e5348bc4afca8d6145137a27a25216edba8b66f68e
                                SHA512:a44f2dec7dec52ed499c7a05dee8960c390a168f82531d13371f45d0e6185fe9e6c99fb384e827b9d087756109c6bb0d2697d2b097e0bfdb193a064e0022b8d0
                                SSDEEP:12288:B9BvctM85t35JPNJj2WzoRLQYRYzmYhnc9skqXatMdJ8s8:BD0tM85tbNJjldeYiYhncGZqtoJ89
                                TLSH:A3C40147B08110ABD968FFB700631E45939BAE65B97531062DAF3C24A6B36B3307718F
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

                                File Icon

                                Icon Hash:0d2d0d1723293133

                                Static PE Info

                                General

                                Entrypoint:0x4cabb0
                                Entrypoint Section:UPX1
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:0
                                File Version Major:5
                                File Version Minor:0
                                Subsystem Version Major:5
                                Subsystem Version Minor:0
                                Import Hash:77b2e5e9b52fbef7638f64ab65f0c58c

                                Entrypoint Preview

                                Instruction
                                pushad
                                mov esi, 00489000h
                                lea edi, dword ptr [esi-00088000h]
                                push edi
                                jmp 00007F865CC6494Dh
                                nop
                                mov al, byte ptr [esi]
                                inc esi
                                mov byte ptr [edi], al
                                inc edi
                                add ebx, ebx
                                jne 00007F865CC64949h
                                mov ebx, dword ptr [esi]
                                sub esi, FFFFFFFCh
                                adc ebx, ebx
                                jc 00007F865CC6492Fh
                                mov eax, 00000001h
                                add ebx, ebx
                                jne 00007F865CC64949h
                                mov ebx, dword ptr [esi]
                                sub esi, FFFFFFFCh
                                adc ebx, ebx
                                adc eax, eax
                                add ebx, ebx
                                jnc 00007F865CC6494Dh
                                jne 00007F865CC6496Ah
                                mov ebx, dword ptr [esi]
                                sub esi, FFFFFFFCh
                                adc ebx, ebx
                                jc 00007F865CC64961h
                                dec eax
                                add ebx, ebx
                                jne 00007F865CC64949h
                                mov ebx, dword ptr [esi]
                                sub esi, FFFFFFFCh
                                adc ebx, ebx
                                adc eax, eax
                                jmp 00007F865CC64916h
                                add ebx, ebx
                                jne 00007F865CC64949h
                                mov ebx, dword ptr [esi]
                                sub esi, FFFFFFFCh
                                adc ebx, ebx
                                adc ecx, ecx
                                jmp 00007F865CC64994h
                                xor ecx, ecx
                                sub eax, 03h
                                jc 00007F865CC64953h
                                shl eax, 08h
                                mov al, byte ptr [esi]
                                inc esi
                                xor eax, FFFFFFFFh
                                je 00007F865CC649B7h
                                sar eax, 1
                                mov ebp, eax
                                jmp 00007F865CC6494Dh
                                add ebx, ebx
                                jne 00007F865CC64949h
                                mov ebx, dword ptr [esi]
                                sub esi, FFFFFFFCh
                                adc ebx, ebx
                                jc 00007F865CC6490Eh
                                inc ecx
                                add ebx, ebx
                                jne 00007F865CC64949h
                                mov ebx, dword ptr [esi]
                                sub esi, FFFFFFFCh
                                adc ebx, ebx
                                jc 00007F865CC64900h
                                add ebx, ebx
                                jne 00007F865CC64949h
                                mov ebx, dword ptr [esi]
                                sub esi, FFFFFFFCh
                                adc ebx, ebx
                                adc ecx, ecx
                                add ebx, ebx
                                jnc 00007F865CC64931h
                                jne 00007F865CC6494Bh
                                mov ebx, dword ptr [esi]
                                sub esi, FFFFFFFCh
                                adc ebx, ebx
                                jnc 00007F865CC64926h
                                add ecx, 02h
                                cmp ebp, FFFFFB00h
                                adc ecx, 02h
                                lea edx, dword ptr [edi+ebp]
                                cmp ebp, FFFFFFFCh
                                jbe 00007F865CC64950h
                                mov al, byte ptr [edx]

                                Rich Headers

                                Programming Language:
                                • [ASM] VS2008 SP1 build 30729
                                • [ C ] VS2008 SP1 build 30729
                                • [C++] VS2008 SP1 build 30729
                                • [ C ] VS2005 build 50727
                                • [IMP] VS2005 build 50727
                                • [ASM] VS2008 build 21022
                                • [RES] VS2008 build 21022
                                • [LNK] VS2008 SP1 build 30729

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xe42500x3b0.rsrc
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x19250.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                UPX00x10000x880000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                UPX10x890000x420000x41e0080d19dcf10aa2f61b5db01ff1935b4e0False0.9934512867647058data7.929803791912329IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0xcb0000x1a0000x196001cd2c05982e41b1ec28f657f2d8241a7False0.1710764316502463data3.3247442970903482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0xcb50c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                RT_ICON0xcb6380x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                RT_ICON0xcb7640x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                RT_ICON0xcb8900x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishGreat Britain0.45567375886524825
                                RT_ICON0xcbcfc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishGreat Britain0.299953095684803
                                RT_ICON0xccda80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishGreat Britain0.2274896265560166
                                RT_ICON0xcf3540x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishGreat Britain0.18865139348134152
                                RT_ICON0xd35800x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishGreat Britain0.13214243463858985
                                RT_MENU0xc3d880x50dataEnglishGreat Britain1.1375
                                RT_DIALOG0xc3dd80xfcdataEnglishGreat Britain1.0436507936507937
                                RT_STRING0xc3ed80x530dataEnglishGreat Britain1.0082831325301205
                                RT_STRING0xc44080x690dataEnglishGreat Britain1.006547619047619
                                RT_STRING0xc4a980x43aOpenPGP Secret KeyEnglishGreat Britain1.010166358595194
                                RT_STRING0xc4ed80x5fcdataEnglishGreat Britain1.0071801566579635
                                RT_STRING0xc54d80x65cdataEnglishGreat Britain1.0067567567567568
                                RT_STRING0xc5b380x388dataEnglishGreat Britain1.0121681415929205
                                RT_STRING0xc5ec00x158dataEnglishUnited States1.0319767441860466
                                RT_GROUP_ICON0xe3dac0x4cdataEnglishGreat Britain0.8157894736842105
                                RT_GROUP_ICON0xe3dfc0x14dataEnglishGreat Britain1.15
                                RT_GROUP_ICON0xe3e140x14dataEnglishGreat Britain1.25
                                RT_GROUP_ICON0xe3e2c0x14dataEnglishGreat Britain1.25
                                RT_VERSION0xe3e440x19cdataEnglishGreat Britain0.5339805825242718
                                RT_MANIFEST0xe3fe40x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                Imports

                                DLLImport
                                KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                ADVAPI32.dllGetAce
                                COMCTL32.dllImageList_Remove
                                COMDLG32.dllGetSaveFileNameW
                                GDI32.dllLineTo
                                MPR.dllWNetGetConnectionW
                                ole32.dllCoInitialize
                                OLEAUT32.dllSafeArrayUnaccessData
                                PSAPI.DLLEnumProcesses
                                SHELL32.dllDragFinish
                                USER32.dllGetDC
                                USERENV.dllLoadUserProfileW
                                VERSION.dllVerQueryValueW
                                WININET.dllFtpOpenFileW
                                WINMM.dlltimeGetTime
                                WSOCK32.dllrecv

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishGreat Britain
                                EnglishUnited States

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 11, 2025 06:42:12.048415899 CET4970680192.168.2.8208.95.112.1
                                Jan 11, 2025 06:42:12.053178072 CET8049706208.95.112.1192.168.2.8
                                Jan 11, 2025 06:42:12.053380966 CET4970680192.168.2.8208.95.112.1
                                Jan 11, 2025 06:42:12.079667091 CET4970680192.168.2.8208.95.112.1
                                Jan 11, 2025 06:42:12.084531069 CET8049706208.95.112.1192.168.2.8
                                Jan 11, 2025 06:42:12.664635897 CET8049706208.95.112.1192.168.2.8
                                Jan 11, 2025 06:42:12.723352909 CET4970680192.168.2.8208.95.112.1
                                Jan 11, 2025 06:42:13.981184959 CET4970721192.168.2.8162.241.62.63
                                Jan 11, 2025 06:42:13.986002922 CET2149707162.241.62.63192.168.2.8
                                Jan 11, 2025 06:42:13.986426115 CET4970721192.168.2.8162.241.62.63
                                Jan 11, 2025 06:42:14.002809048 CET4970721192.168.2.8162.241.62.63
                                Jan 11, 2025 06:42:14.007745028 CET2149707162.241.62.63192.168.2.8
                                Jan 11, 2025 06:42:14.007801056 CET4970721192.168.2.8162.241.62.63
                                Jan 11, 2025 06:42:26.130177021 CET4971080192.168.2.8208.95.112.1
                                Jan 11, 2025 06:42:26.136225939 CET8049710208.95.112.1192.168.2.8
                                Jan 11, 2025 06:42:26.136356115 CET4971080192.168.2.8208.95.112.1
                                Jan 11, 2025 06:42:26.136733055 CET4971080192.168.2.8208.95.112.1
                                Jan 11, 2025 06:42:26.142093897 CET8049710208.95.112.1192.168.2.8
                                Jan 11, 2025 06:42:26.591785908 CET8049710208.95.112.1192.168.2.8
                                Jan 11, 2025 06:42:26.604691982 CET4970680192.168.2.8208.95.112.1
                                Jan 11, 2025 06:42:26.639090061 CET4971080192.168.2.8208.95.112.1
                                Jan 11, 2025 06:42:27.193917036 CET4971121192.168.2.8162.241.62.63
                                Jan 11, 2025 06:42:27.198860884 CET2149711162.241.62.63192.168.2.8
                                Jan 11, 2025 06:42:27.198932886 CET4971121192.168.2.8162.241.62.63
                                Jan 11, 2025 06:42:57.204197884 CET2149711162.241.62.63192.168.2.8
                                Jan 11, 2025 06:42:57.204332113 CET4971121192.168.2.8162.241.62.63
                                Jan 11, 2025 06:42:57.204477072 CET4971121192.168.2.8162.241.62.63
                                Jan 11, 2025 06:42:57.210170984 CET2149711162.241.62.63192.168.2.8
                                Jan 11, 2025 06:43:04.362034082 CET8049710208.95.112.1192.168.2.8
                                Jan 11, 2025 06:43:04.362121105 CET4971080192.168.2.8208.95.112.1
                                Jan 11, 2025 06:43:17.201823950 CET4971080192.168.2.8208.95.112.1
                                Jan 11, 2025 06:43:17.206648111 CET8049710208.95.112.1192.168.2.8

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 11, 2025 06:42:12.036422014 CET5536353192.168.2.81.1.1.1
                                Jan 11, 2025 06:42:12.043035030 CET53553631.1.1.1192.168.2.8
                                Jan 11, 2025 06:42:13.664762974 CET5035553192.168.2.81.1.1.1
                                Jan 11, 2025 06:42:13.979835987 CET53503551.1.1.1192.168.2.8

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jan 11, 2025 06:42:12.036422014 CET192.168.2.81.1.1.10x846dStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                Jan 11, 2025 06:42:13.664762974 CET192.168.2.81.1.1.10x1401Standard query (0)ftp.antoniomayol.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jan 11, 2025 06:42:12.043035030 CET1.1.1.1192.168.2.80x846dNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                Jan 11, 2025 06:42:13.979835987 CET1.1.1.1192.168.2.80x1401No error (0)ftp.antoniomayol.comantoniomayol.comCNAME (Canonical name)IN (0x0001)false
                                Jan 11, 2025 06:42:13.979835987 CET1.1.1.1192.168.2.80x1401No error (0)antoniomayol.com162.241.62.63A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • ip-api.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.849706208.95.112.1807692C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                TimestampBytes transferredDirectionData
                                Jan 11, 2025 06:42:12.079667091 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                Host: ip-api.com
                                Connection: Keep-Alive
                                Jan 11, 2025 06:42:12.664635897 CET175INHTTP/1.1 200 OK
                                Date: Sat, 11 Jan 2025 05:42:12 GMT
                                Content-Type: text/plain; charset=utf-8
                                Content-Length: 6
                                Access-Control-Allow-Origin: *
                                X-Ttl: 60
                                X-Rl: 44
                                Data Raw: 66 61 6c 73 65 0a
                                Data Ascii: false


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.849710208.95.112.1808076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                TimestampBytes transferredDirectionData
                                Jan 11, 2025 06:42:26.136733055 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                Host: ip-api.com
                                Connection: Keep-Alive
                                Jan 11, 2025 06:42:26.591785908 CET175INHTTP/1.1 200 OK
                                Date: Sat, 11 Jan 2025 05:42:26 GMT
                                Content-Type: text/plain; charset=utf-8
                                Content-Length: 6
                                Access-Control-Allow-Origin: *
                                X-Ttl: 45
                                X-Rl: 43
                                Data Raw: 66 61 6c 73 65 0a
                                Data Ascii: false


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:00:42:07
                                Start date:11/01/2025
                                Path:C:\Users\user\Desktop\4LbgdNQgna.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\4LbgdNQgna.exe"
                                Imagebase:0x400000
                                File size:573'168 bytes
                                MD5 hash:DB18C7473665C8C3C28ABEF8107AC4E8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:2
                                Start time:00:42:08
                                Start date:11/01/2025
                                Path:C:\Users\user\AppData\Local\lecheries\reindulgence.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\4LbgdNQgna.exe"
                                Imagebase:0x400000
                                File size:573'168 bytes
                                MD5 hash:DB18C7473665C8C3C28ABEF8107AC4E8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000002.00000002.1447435076.00000000012C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 63%, ReversingLabs
                                • Detection: 70%, Virustotal, Browse
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:00:42:10
                                Start date:11/01/2025
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\4LbgdNQgna.exe"
                                Imagebase:0x5f0000
                                File size:45'984 bytes
                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1586802613.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1586802613.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1590094587.0000000002A0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1590094587.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1590094587.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:00:42:22
                                Start date:11/01/2025
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs"
                                Imagebase:0x7ff608980000
                                File size:170'496 bytes
                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:00:42:23
                                Start date:11/01/2025
                                Path:C:\Users\user\AppData\Local\lecheries\reindulgence.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\lecheries\reindulgence.exe"
                                Imagebase:0x400000
                                File size:573'168 bytes
                                MD5 hash:DB18C7473665C8C3C28ABEF8107AC4E8
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000006.00000002.1587584524.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:7
                                Start time:00:42:24
                                Start date:11/01/2025
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\lecheries\reindulgence.exe"
                                Imagebase:0xdf0000
                                File size:45'984 bytes
                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2679851570.00000000032C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2679851570.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3%
                                  Dynamic/Decrypted Code Coverage:1.2%
                                  Signature Coverage:4.8%
                                  Total number of Nodes:1541
                                  Total number of Limit Nodes:33
                                  execution_graph 84578 467046 84579 46705d 84578->84579 84589 467136 84578->84589 84580 4671a0 84579->84580 84581 46710d 84579->84581 84582 467199 84579->84582 84591 46706e 84579->84591 84584 41171a 75 API calls 84580->84584 84585 41171a 75 API calls 84581->84585 84612 40e380 VariantClear moneypunct 84582->84612 84597 4670f3 _memcpy_s 84584->84597 84585->84597 84586 4670d2 84588 41171a 75 API calls 84586->84588 84587 41171a 75 API calls 84587->84589 84590 4670d8 84588->84590 84610 443466 75 API calls 84590->84610 84596 4670a9 moneypunct 84591->84596 84598 41171a 84591->84598 84594 4670e8 84611 45efe7 77 API calls moneypunct 84594->84611 84596->84580 84596->84586 84596->84597 84597->84587 84602 411724 84598->84602 84600 41173e 84600->84596 84602->84600 84606 411740 std::bad_alloc::bad_alloc 84602->84606 84613 4138ba 84602->84613 84631 411afc 6 API calls __decode_pointer 84602->84631 84603 411766 84635 4116fd 67 API calls std::exception::exception 84603->84635 84605 411770 84636 41805b RaiseException 84605->84636 84606->84603 84632 411421 84606->84632 84609 41177e 84610->84594 84611->84597 84612->84580 84614 41396d 84613->84614 84620 4138cc 84613->84620 84644 411afc 6 API calls __decode_pointer 84614->84644 84616 4138dd 84616->84620 84637 418252 67 API calls 2 library calls 84616->84637 84638 4180a7 67 API calls 7 library calls 84616->84638 84639 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84616->84639 84617 413973 84645 417f23 67 API calls __getptd_noexit 84617->84645 84620->84616 84623 413929 RtlAllocateHeap 84620->84623 84625 413965 84620->84625 84626 413959 84620->84626 84629 41395e 84620->84629 84640 41386b 67 API calls 4 library calls 84620->84640 84641 411afc 6 API calls __decode_pointer 84620->84641 84623->84620 84625->84602 84642 417f23 67 API calls __getptd_noexit 84626->84642 84643 417f23 67 API calls __getptd_noexit 84629->84643 84631->84602 84646 4113e5 84632->84646 84634 41142e 84634->84603 84635->84605 84636->84609 84637->84616 84638->84616 84640->84620 84641->84620 84642->84629 84643->84625 84644->84617 84645->84625 84647 4113f1 _doexit 84646->84647 84654 41181b 84647->84654 84653 411412 _doexit 84653->84634 84680 418407 84654->84680 84656 4113f6 84657 4112fa 84656->84657 84745 4169e9 TlsGetValue 84657->84745 84660 4169e9 __decode_pointer 6 API calls 84661 41131e 84660->84661 84672 4113a1 84661->84672 84755 4170e7 68 API calls 5 library calls 84661->84755 84663 41133c 84666 411357 84663->84666 84667 411366 84663->84667 84676 411388 84663->84676 84664 41696e __encode_pointer 6 API calls 84665 411396 84664->84665 84670 41696e __encode_pointer 6 API calls 84665->84670 84756 417047 73 API calls _realloc 84666->84756 84669 411360 84667->84669 84667->84672 84669->84667 84673 41137c 84669->84673 84757 417047 73 API calls _realloc 84669->84757 84670->84672 84677 41141b 84672->84677 84758 41696e TlsGetValue 84673->84758 84674 411376 84674->84672 84674->84673 84676->84664 84770 411824 84677->84770 84681 41841c 84680->84681 84682 41842f RtlEnterCriticalSection 84680->84682 84687 418344 84681->84687 84682->84656 84684 418422 84684->84682 84715 4117af 67 API calls 3 library calls 84684->84715 84686 41842e 84686->84682 84688 418350 _doexit 84687->84688 84689 418360 84688->84689 84690 418378 84688->84690 84716 418252 67 API calls 2 library calls 84689->84716 84694 418386 _doexit 84690->84694 84719 416fb6 84690->84719 84692 418365 84717 4180a7 67 API calls 7 library calls 84692->84717 84694->84684 84697 41836c 84718 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84697->84718 84698 4183a7 84701 418407 __lock 67 API calls 84698->84701 84699 418398 84725 417f23 67 API calls __getptd_noexit 84699->84725 84703 4183ae 84701->84703 84705 4183e2 84703->84705 84706 4183b6 84703->84706 84708 413a88 __mtterm 67 API calls 84705->84708 84726 4189e6 InitializeCriticalSectionAndSpinCount _doexit 84706->84726 84709 4183d3 84708->84709 84741 4183fe RtlLeaveCriticalSection _doexit 84709->84741 84710 4183c1 84710->84709 84727 413a88 84710->84727 84713 4183cd 84740 417f23 67 API calls __getptd_noexit 84713->84740 84715->84686 84716->84692 84717->84697 84722 416fbf 84719->84722 84720 4138ba _malloc 66 API calls 84720->84722 84721 416ff5 84721->84698 84721->84699 84722->84720 84722->84721 84723 416fd6 Sleep 84722->84723 84724 416feb 84723->84724 84724->84721 84724->84722 84725->84694 84726->84710 84729 413a94 _doexit 84727->84729 84728 413b0d _doexit __dosmaperr 84728->84713 84729->84728 84731 418407 __lock 65 API calls 84729->84731 84739 413ad3 84729->84739 84730 413ae8 RtlFreeHeap 84730->84728 84732 413afa 84730->84732 84736 413aab ___sbh_find_block 84731->84736 84744 417f23 67 API calls __getptd_noexit 84732->84744 84734 413aff GetLastError 84734->84728 84735 413ac5 84743 413ade RtlLeaveCriticalSection _doexit 84735->84743 84736->84735 84742 419f9d __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 84736->84742 84739->84728 84739->84730 84740->84709 84741->84694 84742->84735 84743->84739 84744->84734 84746 416a01 84745->84746 84747 416a22 GetModuleHandleW 84745->84747 84746->84747 84750 416a0b TlsGetValue 84746->84750 84748 416a32 84747->84748 84749 416a3d GetProcAddress 84747->84749 84768 41177f Sleep GetModuleHandleW 84748->84768 84752 41130e 84749->84752 84753 416a16 84750->84753 84752->84660 84753->84747 84753->84752 84754 416a38 84754->84749 84754->84752 84755->84663 84756->84669 84757->84674 84759 4169a7 GetModuleHandleW 84758->84759 84760 416986 84758->84760 84762 4169c2 GetProcAddress 84759->84762 84763 4169b7 84759->84763 84760->84759 84761 416990 TlsGetValue 84760->84761 84766 41699b 84761->84766 84765 41699f 84762->84765 84769 41177f Sleep GetModuleHandleW 84763->84769 84765->84676 84766->84759 84766->84765 84767 4169bd 84767->84762 84767->84765 84768->84754 84769->84767 84773 41832d RtlLeaveCriticalSection 84770->84773 84772 411420 84772->84653 84773->84772 84774 429212 84779 410b90 84774->84779 84777 411421 __cinit 74 API calls 84778 42922f 84777->84778 84780 410b9a __write_nolock 84779->84780 84781 41171a 75 API calls 84780->84781 84782 410c31 GetModuleFileNameW 84781->84782 84796 413db0 84782->84796 84784 410c66 _wcsncat 84799 413e3c 84784->84799 84787 41171a 75 API calls 84788 410ca3 _wcscpy 84787->84788 84789 410cd1 RegOpenKeyExW 84788->84789 84790 429bc3 RegQueryValueExW 84789->84790 84791 410cf7 84789->84791 84792 429bf2 _wcscat _wcslen _wcsncpy 84790->84792 84793 429cd9 RegCloseKey 84790->84793 84791->84777 84794 41171a 75 API calls 84792->84794 84795 429cd8 84792->84795 84794->84792 84795->84793 84802 413b95 84796->84802 84832 41abec 84799->84832 84803 413c2f 84802->84803 84804 413bae 84802->84804 84805 413d60 84803->84805 84806 413d7b 84803->84806 84804->84803 84818 413c1d 84804->84818 84824 41ab19 67 API calls __stricmp_l 84804->84824 84828 417f23 67 API calls __getptd_noexit 84805->84828 84830 417f23 67 API calls __getptd_noexit 84806->84830 84809 413d65 84813 413cfb 84809->84813 84829 417ebb 6 API calls 2 library calls 84809->84829 84812 413d03 84812->84803 84812->84813 84815 413d8e 84812->84815 84813->84784 84814 413cb9 84814->84803 84816 413cd6 84814->84816 84826 41ab19 67 API calls __stricmp_l 84814->84826 84831 41ab19 67 API calls __stricmp_l 84815->84831 84816->84803 84816->84813 84820 413cef 84816->84820 84818->84803 84823 413c9b 84818->84823 84825 41ab19 67 API calls __stricmp_l 84818->84825 84827 41ab19 67 API calls __stricmp_l 84820->84827 84823->84812 84823->84814 84824->84818 84825->84823 84826->84816 84827->84813 84828->84809 84830->84809 84831->84813 84833 41ac02 84832->84833 84834 41abfd 84832->84834 84841 417f23 67 API calls __getptd_noexit 84833->84841 84834->84833 84838 41ac22 84834->84838 84839 410c99 84838->84839 84843 417f23 67 API calls __getptd_noexit 84838->84843 84839->84787 84840 41ac07 84842 417ebb 6 API calls 2 library calls 84840->84842 84841->84840 84843->84840 84844 409030 84858 409110 117 API calls 84844->84858 84846 40906e 84847 42ceb6 84846->84847 84850 42cea9 84846->84850 84852 4090a4 84846->84852 84871 410ae0 VariantClear moneypunct 84847->84871 84849 42cebf 84870 45e62e 116 API calls 3 library calls 84850->84870 84859 404160 84852->84859 84855 4090f0 moneypunct 84857 4090be moneypunct 84857->84855 84866 4092c0 84857->84866 84858->84846 84860 4092c0 VariantClear 84859->84860 84861 40416e 84860->84861 84872 404120 84861->84872 84863 40419b 84876 4734b7 84863->84876 84864 4041c6 84864->84847 84864->84857 84867 4092c8 moneypunct 84866->84867 84868 429db0 VariantClear 84867->84868 84869 4092d5 moneypunct 84867->84869 84868->84869 84869->84857 84870->84847 84871->84849 84873 40412e 84872->84873 84874 4092c0 VariantClear 84873->84874 84875 404138 84874->84875 84875->84863 84918 453063 84876->84918 84879 473545 84922 463c42 84879->84922 84880 47350c 84882 4092c0 VariantClear 84880->84882 84887 473514 84882->84887 84883 473558 84884 47355c 84883->84884 84900 473595 84883->84900 84886 4092c0 VariantClear 84884->84886 84885 473616 84935 463d7e 84885->84935 84896 473564 84886->84896 84887->84864 84889 453063 111 API calls 84889->84900 84890 473622 84891 473697 84890->84891 84892 47362c 84890->84892 84967 457838 84891->84967 84895 4092c0 VariantClear 84892->84895 84898 473634 84895->84898 84896->84864 84898->84864 84899 473655 84902 4092c0 VariantClear 84899->84902 84900->84885 84900->84889 84900->84899 84979 462f5a 87 API calls __wcsicoll 84900->84979 84913 47365d 84902->84913 84904 4736b0 84980 45e62e 116 API calls 3 library calls 84904->84980 84905 4736c9 84981 40e7e0 76 API calls 84905->84981 84908 4736ba GetCurrentProcess TerminateProcess 84908->84905 84909 4736db 84915 4736ff 84909->84915 84982 40d030 76 API calls 84909->84982 84911 4736f1 84983 46b945 134 API calls 2 library calls 84911->84983 84913->84864 84917 473731 84915->84917 84984 40d030 76 API calls 84915->84984 84985 46b945 134 API calls 2 library calls 84915->84985 84917->84864 84919 45306e 84918->84919 84920 45307a 84918->84920 84919->84920 84986 452e2a 111 API calls 5 library calls 84919->84986 84920->84879 84920->84880 84987 45335b 76 API calls 84922->84987 84924 463c5d 84988 442c52 80 API calls _wcslen 84924->84988 84926 463c72 84934 463cac 84926->84934 84989 40c060 84926->84989 84931 463ca4 84995 40c740 84931->84995 84933 463cf7 84933->84883 84934->84933 85000 462f5a 87 API calls __wcsicoll 84934->85000 84936 453063 111 API calls 84935->84936 84937 463d99 84936->84937 84938 463de0 84937->84938 84939 463dca 84937->84939 85017 40c760 78 API calls 84938->85017 85011 453081 84939->85011 84942 463dd0 LoadLibraryW 84953 463e09 84942->84953 84943 463de7 84944 463e19 84943->84944 85018 40c760 78 API calls 84943->85018 84944->84890 84945 463e3e 84948 463e4e 84945->84948 84949 463e7b 84945->84949 84947 463dfb 84947->84944 85019 40c760 78 API calls 84947->85019 85020 40d500 75 API calls 84948->85020 85022 40c760 78 API calls 84949->85022 84953->84944 84953->84945 84954 463e82 GetProcAddress 84958 463e90 84954->84958 84955 463e57 85021 45efe7 77 API calls moneypunct 84955->85021 84957 463e62 GetProcAddress 84959 463e79 84957->84959 84958->84944 84958->84959 84959->84958 85023 403470 75 API calls _memcpy_s 84959->85023 84961 463eb4 85024 40d500 75 API calls 84961->85024 84963 463ebd 85025 45efe7 77 API calls moneypunct 84963->85025 84965 463ec8 GetProcAddress 85026 401330 moneypunct 84965->85026 84968 457a4c 84967->84968 84974 45785f _strcat moneypunct _wcslen _wcscpy 84967->84974 84975 410d40 84968->84975 84969 443576 78 API calls 84969->84974 84970 40c760 78 API calls 84970->84974 84971 453081 111 API calls 84971->84974 84972 4138ba 67 API calls _malloc 84972->84974 84974->84968 84974->84969 84974->84970 84974->84971 84974->84972 85028 40f580 84974->85028 84977 410d55 84975->84977 84976 410ded VirtualAlloc 84978 410dbb 84976->84978 84977->84976 84977->84978 84978->84904 84978->84905 84979->84900 84980->84908 84981->84909 84982->84911 84983->84915 84984->84915 84985->84915 84986->84920 84987->84924 84988->84926 84990 41171a 75 API calls 84989->84990 84991 40c088 84990->84991 84992 41171a 75 API calls 84991->84992 84993 40c096 84992->84993 84994 4608ce 75 API calls _memcpy_s 84993->84994 84994->84931 84996 40c752 84995->84996 84997 40c747 84995->84997 84996->84934 84997->84996 85001 402ae0 84997->85001 84999 42a572 _memcpy_s 84999->84934 85000->84933 85002 42a06a 85001->85002 85003 402aef 85001->85003 85008 401380 85002->85008 85003->84999 85005 42a072 85006 41171a 75 API calls 85005->85006 85007 42a095 _memcpy_s 85006->85007 85007->84999 85009 41171a 75 API calls 85008->85009 85010 401387 85009->85010 85010->85005 85012 45308c 85011->85012 85013 4530aa 85011->85013 85014 4530a1 85012->85014 85027 452e2a 111 API calls 5 library calls 85012->85027 85013->84942 85014->84942 85016 453098 85016->84942 85017->84943 85018->84947 85019->84953 85020->84955 85021->84957 85022->84954 85023->84961 85024->84963 85025->84965 85026->84944 85027->85016 85029 429440 85028->85029 85030 40f589 _wcslen 85028->85030 85031 40f58f WideCharToMultiByte 85030->85031 85032 40f5d8 85031->85032 85033 40f5ad 85031->85033 85032->84974 85034 41171a 75 API calls 85033->85034 85035 40f5bb WideCharToMultiByte 85034->85035 85035->84974 85036 40f110 RegOpenKeyExW 85037 40f13c RegQueryValueExW RegCloseKey 85036->85037 85038 40f15f 85036->85038 85037->85038 85039 416193 85076 41718c 85039->85076 85041 41619f GetStartupInfoW 85043 4161c2 85041->85043 85077 41aa31 HeapCreate 85043->85077 85045 416212 85079 416e29 GetModuleHandleW 85045->85079 85049 416223 __RTC_Initialize 85113 41b669 85049->85113 85052 416231 85053 41623d GetCommandLineW 85052->85053 85181 4117af 67 API calls 3 library calls 85052->85181 85128 42235f GetEnvironmentStringsW 85053->85128 85056 41624c 85134 4222b1 GetModuleFileNameW 85056->85134 85057 41623c 85057->85053 85059 416256 85060 416261 85059->85060 85182 4117af 67 API calls 3 library calls 85059->85182 85138 422082 85060->85138 85064 416272 85151 41186e 85064->85151 85067 416279 85069 416284 __wwincmdln 85067->85069 85184 4117af 67 API calls 3 library calls 85067->85184 85157 40d7f0 85069->85157 85072 4162b3 85186 411a4b 67 API calls _doexit 85072->85186 85075 4162b8 _doexit 85076->85041 85078 416206 85077->85078 85078->85045 85179 41616a 67 API calls 3 library calls 85078->85179 85080 416e44 85079->85080 85081 416e3d 85079->85081 85083 416fac 85080->85083 85084 416e4e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 85080->85084 85187 41177f Sleep GetModuleHandleW 85081->85187 85197 416ad5 70 API calls 2 library calls 85083->85197 85087 416e97 TlsAlloc 85084->85087 85086 416e43 85086->85080 85089 416218 85087->85089 85090 416ee5 TlsSetValue 85087->85090 85089->85049 85180 41616a 67 API calls 3 library calls 85089->85180 85090->85089 85091 416ef6 85090->85091 85188 411a69 6 API calls 4 library calls 85091->85188 85093 416efb 85094 41696e __encode_pointer 6 API calls 85093->85094 85095 416f06 85094->85095 85096 41696e __encode_pointer 6 API calls 85095->85096 85097 416f16 85096->85097 85098 41696e __encode_pointer 6 API calls 85097->85098 85099 416f26 85098->85099 85100 41696e __encode_pointer 6 API calls 85099->85100 85101 416f36 85100->85101 85189 41828b InitializeCriticalSectionAndSpinCount __getstream 85101->85189 85103 416f43 85103->85083 85104 4169e9 __decode_pointer 6 API calls 85103->85104 85105 416f57 85104->85105 85105->85083 85190 416ffb 85105->85190 85108 4169e9 __decode_pointer 6 API calls 85109 416f8a 85108->85109 85109->85083 85110 416f91 85109->85110 85196 416b12 67 API calls 5 library calls 85110->85196 85112 416f99 GetCurrentThreadId 85112->85089 85216 41718c 85113->85216 85115 41b675 GetStartupInfoA 85116 416ffb __calloc_crt 67 API calls 85115->85116 85122 41b696 85116->85122 85117 41b8b4 _doexit 85117->85052 85118 41b831 GetStdHandle 85127 41b7fb 85118->85127 85119 41b896 SetHandleCount 85119->85117 85120 416ffb __calloc_crt 67 API calls 85120->85122 85121 41b843 GetFileType 85121->85127 85122->85117 85122->85120 85123 41b77e 85122->85123 85122->85127 85123->85117 85124 41b7a7 GetFileType 85123->85124 85123->85127 85217 4189e6 InitializeCriticalSectionAndSpinCount _doexit 85123->85217 85124->85123 85127->85117 85127->85118 85127->85119 85127->85121 85218 4189e6 InitializeCriticalSectionAndSpinCount _doexit 85127->85218 85129 422370 85128->85129 85130 422374 85128->85130 85129->85056 85131 416fb6 __malloc_crt 67 API calls 85130->85131 85132 422395 _memcpy_s 85131->85132 85133 42239c FreeEnvironmentStringsW 85132->85133 85133->85056 85135 4222e6 _wparse_cmdline 85134->85135 85136 416fb6 __malloc_crt 67 API calls 85135->85136 85137 422329 _wparse_cmdline 85135->85137 85136->85137 85137->85059 85139 42209a _wcslen 85138->85139 85141 416267 85138->85141 85140 416ffb __calloc_crt 67 API calls 85139->85140 85146 4220be _wcslen 85140->85146 85141->85064 85183 4117af 67 API calls 3 library calls 85141->85183 85142 422123 85143 413a88 __mtterm 67 API calls 85142->85143 85143->85141 85144 416ffb __calloc_crt 67 API calls 85144->85146 85145 422149 85147 413a88 __mtterm 67 API calls 85145->85147 85146->85141 85146->85142 85146->85144 85146->85145 85149 422108 85146->85149 85219 426349 67 API calls __stricmp_l 85146->85219 85147->85141 85149->85146 85220 417d93 10 API calls 3 library calls 85149->85220 85152 41187c __IsNonwritableInCurrentImage 85151->85152 85221 418486 85152->85221 85154 41189a __initterm_e 85155 411421 __cinit 74 API calls 85154->85155 85156 4118b9 __IsNonwritableInCurrentImage __initterm 85154->85156 85155->85156 85156->85067 85158 431bcb 85157->85158 85159 40d80c 85157->85159 85160 4092c0 VariantClear 85159->85160 85161 40d847 85160->85161 85225 40eb50 85161->85225 85164 40d877 85228 411ac6 67 API calls 4 library calls 85164->85228 85167 40d888 85229 411b24 67 API calls __stricmp_l 85167->85229 85169 40d891 85230 40f370 SystemParametersInfoW SystemParametersInfoW 85169->85230 85171 40d89f 85231 40d6d0 GetCurrentDirectoryW 85171->85231 85173 40d8a7 SystemParametersInfoW 85174 40d8cd 85173->85174 85175 4092c0 VariantClear 85174->85175 85176 40d8dd 85175->85176 85177 4092c0 VariantClear 85176->85177 85178 40d8e6 85177->85178 85178->85072 85185 411a1f 67 API calls _doexit 85178->85185 85179->85045 85180->85049 85181->85057 85182->85060 85183->85064 85184->85069 85185->85072 85186->85075 85187->85086 85188->85093 85189->85103 85193 417004 85190->85193 85192 416f70 85192->85083 85192->85108 85193->85192 85194 417022 Sleep 85193->85194 85198 422452 85193->85198 85195 417037 85194->85195 85195->85192 85195->85193 85196->85112 85197->85089 85199 42245e _doexit 85198->85199 85200 422476 85199->85200 85210 422495 _memset 85199->85210 85211 417f23 67 API calls __getptd_noexit 85200->85211 85202 42247b 85212 417ebb 6 API calls 2 library calls 85202->85212 85204 422507 RtlAllocateHeap 85204->85210 85205 42248b _doexit 85205->85193 85207 418407 __lock 66 API calls 85207->85210 85210->85204 85210->85205 85210->85207 85213 41a74c 5 API calls 2 library calls 85210->85213 85214 42254e RtlLeaveCriticalSection _doexit 85210->85214 85215 411afc 6 API calls __decode_pointer 85210->85215 85211->85202 85213->85210 85214->85210 85215->85210 85216->85115 85217->85123 85218->85127 85219->85146 85220->85149 85222 41848c 85221->85222 85223 41696e __encode_pointer 6 API calls 85222->85223 85224 4184a4 85222->85224 85223->85222 85224->85154 85269 40eb70 85225->85269 85228->85167 85229->85169 85230->85171 85273 401f80 85231->85273 85233 40d6f1 IsDebuggerPresent 85234 431a9d MessageBoxA 85233->85234 85235 40d6ff 85233->85235 85236 431ab6 85234->85236 85235->85236 85237 40d71f 85235->85237 85373 403e90 75 API calls 3 library calls 85236->85373 85343 40f3b0 85237->85343 85241 40d73a GetFullPathNameW 85371 401440 127 API calls _wcscat 85241->85371 85243 40d77a 85244 40d782 85243->85244 85245 431b09 SetCurrentDirectoryW 85243->85245 85246 40d78b 85244->85246 85374 43604b 6 API calls 85244->85374 85245->85244 85353 4101f0 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 85246->85353 85249 431b28 85249->85246 85251 431b30 GetModuleFileNameW 85249->85251 85253 431ba4 GetForegroundWindow ShellExecuteW 85251->85253 85254 431b4c 85251->85254 85256 40d7c7 85253->85256 85375 401b70 85254->85375 85255 40d795 85262 40d7a8 85255->85262 85361 40e1e0 85255->85361 85260 40d7d1 SetCurrentDirectoryW 85256->85260 85260->85173 85262->85256 85372 401000 Shell_NotifyIconW _memset 85262->85372 85263 431b66 85382 40d3b0 75 API calls 2 library calls 85263->85382 85266 431b72 GetForegroundWindow ShellExecuteW 85267 431b9f 85266->85267 85267->85256 85268 40eba0 LoadLibraryA GetProcAddress 85268->85164 85270 40d86e 85269->85270 85271 40eb76 LoadLibraryA 85269->85271 85270->85164 85270->85268 85271->85270 85272 40eb87 GetProcAddress 85271->85272 85272->85270 85383 40e680 85273->85383 85277 401fa2 GetModuleFileNameW 85401 40ff90 85277->85401 85279 401fbd 85413 4107b0 85279->85413 85282 401b70 75 API calls 85283 401fe4 85282->85283 85416 4019e0 85283->85416 85285 401ff2 85286 4092c0 VariantClear 85285->85286 85287 402002 85286->85287 85288 401b70 75 API calls 85287->85288 85289 40201c 85288->85289 85290 4019e0 76 API calls 85289->85290 85291 40202c 85290->85291 85292 401b70 75 API calls 85291->85292 85293 40203c 85292->85293 85424 40c3e0 85293->85424 85295 40204d 85296 40c060 75 API calls 85295->85296 85297 402061 85296->85297 85442 401a70 85297->85442 85299 40206e 85449 4115d0 85299->85449 85302 42c174 85304 401a70 75 API calls 85302->85304 85303 402088 85305 4115d0 __wcsicoll 79 API calls 85303->85305 85306 42c189 85304->85306 85307 402093 85305->85307 85309 401a70 75 API calls 85306->85309 85307->85306 85308 40209e 85307->85308 85310 4115d0 __wcsicoll 79 API calls 85308->85310 85311 42c1a7 85309->85311 85312 4020a9 85310->85312 85313 42c1b0 GetModuleFileNameW 85311->85313 85312->85313 85314 4020b4 85312->85314 85316 401a70 75 API calls 85313->85316 85315 4115d0 __wcsicoll 79 API calls 85314->85315 85317 4020bf 85315->85317 85318 42c1e2 85316->85318 85319 402107 85317->85319 85323 401a70 75 API calls 85317->85323 85328 42c20a _wcscpy 85317->85328 85461 40df50 75 API calls 85318->85461 85322 402119 85319->85322 85319->85328 85321 42c1f1 85324 401a70 75 API calls 85321->85324 85325 42c243 85322->85325 85457 40e7e0 76 API calls 85322->85457 85326 4020e5 _wcscpy 85323->85326 85327 42c201 85324->85327 85334 401a70 75 API calls 85326->85334 85327->85328 85330 401a70 75 API calls 85328->85330 85338 402148 85330->85338 85331 402132 85458 40d030 76 API calls 85331->85458 85333 40213e 85335 4092c0 VariantClear 85333->85335 85334->85319 85335->85338 85336 402184 85340 4092c0 VariantClear 85336->85340 85338->85336 85341 401a70 75 API calls 85338->85341 85459 40d030 76 API calls 85338->85459 85460 40e640 76 API calls 85338->85460 85342 402196 moneypunct 85340->85342 85341->85338 85342->85233 85344 40f3c9 _memset 85343->85344 85349 40d732 85344->85349 86240 40ffb0 76 API calls moneypunct 85344->86240 85346 40f3d2 86241 410130 SHGetMalloc 85346->86241 85348 40f3d9 86246 410020 88 API calls __wcsicoll 85348->86246 85349->85241 85349->85243 85351 40f3e7 86247 40f400 85351->86247 85354 42b9d3 85353->85354 85355 41025a LoadImageW RegisterClassExW 85353->85355 86290 443e8f EnumResourceNamesW LoadImageW 85354->86290 86286 4102f0 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 85355->86286 85359 42b9da 85360 4103e0 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 85360->85255 85362 40e207 _memset 85361->85362 85363 40e262 85362->85363 85364 42aa14 DestroyCursor 85362->85364 85365 40e2a4 85363->85365 86313 43737d 84 API calls __wcsicoll 85363->86313 85364->85363 85367 40e2c0 Shell_NotifyIconW 85365->85367 85368 42aa50 Shell_NotifyIconW 85365->85368 86291 401be0 85367->86291 85370 40e2da 85370->85262 85371->85243 85372->85256 85373->85243 85374->85249 85376 401b76 _wcslen 85375->85376 85377 41171a 75 API calls 85376->85377 85378 401bc5 85376->85378 85379 401bad _memcpy_s 85377->85379 85381 40d3b0 75 API calls 2 library calls 85378->85381 85380 41171a 75 API calls 85379->85380 85380->85378 85381->85263 85382->85266 85384 40c060 75 API calls 85383->85384 85385 401f90 85384->85385 85386 402940 85385->85386 85387 40294a __write_nolock 85386->85387 85462 4021e0 85387->85462 85390 402972 85394 4029a4 85390->85394 85474 401cf0 85390->85474 85391 402ae0 75 API calls 85391->85394 85392 402abe 85392->85277 85393 402a8c 85393->85392 85395 401b70 75 API calls 85393->85395 85394->85391 85394->85393 85396 401b70 75 API calls 85394->85396 85398 401cf0 75 API calls 85394->85398 85477 40d970 75 API calls 2 library calls 85394->85477 85397 402ab3 85395->85397 85396->85394 85478 40d970 75 API calls 2 library calls 85397->85478 85398->85394 85480 40f5e0 85401->85480 85404 40ffa6 85404->85279 85406 42b6d8 85409 42b6e6 85406->85409 85536 434fe1 85406->85536 85408 413a88 __mtterm 67 API calls 85410 42b6f5 85408->85410 85409->85408 85411 434fe1 106 API calls 85410->85411 85412 42b702 85411->85412 85412->85279 85414 41171a 75 API calls 85413->85414 85415 401fd6 85414->85415 85415->85282 85417 401a03 85416->85417 85421 4019e5 85416->85421 85418 401a1a 85417->85418 85417->85421 86229 404260 76 API calls 85418->86229 85420 4019ff 85420->85285 85421->85420 86228 404260 76 API calls 85421->86228 85423 401a26 85423->85285 85425 40c3e4 85424->85425 85426 40c42c 85424->85426 85427 40c3f0 85425->85427 85428 42a475 85425->85428 85429 42a422 85426->85429 85430 40c435 85426->85430 86230 4042f0 75 API calls __cinit 85427->86230 86235 453155 75 API calls 85428->86235 85432 42a427 85429->85432 85433 42a445 85429->85433 85434 40c441 85430->85434 85439 42a455 85430->85439 85440 40c3fb 85432->85440 86232 453155 75 API calls 85432->86232 86233 453155 75 API calls 85433->86233 86231 4042f0 75 API calls __cinit 85434->86231 86234 453155 75 API calls 85439->86234 85440->85295 85443 401a90 85442->85443 85444 401a77 85442->85444 85446 4021e0 75 API calls 85443->85446 85445 401a8d 85444->85445 86236 404080 75 API calls _memcpy_s 85444->86236 85445->85299 85448 401a9c 85446->85448 85448->85299 85450 4115e1 85449->85450 85451 411650 85449->85451 85456 40207d 85450->85456 86237 417f23 67 API calls __getptd_noexit 85450->86237 86239 4114bf 79 API calls 3 library calls 85451->86239 85454 4115ed 86238 417ebb 6 API calls 2 library calls 85454->86238 85456->85302 85456->85303 85457->85331 85458->85333 85459->85338 85460->85338 85461->85321 85463 4021f1 _wcslen 85462->85463 85464 42a598 85462->85464 85467 402205 85463->85467 85468 402226 85463->85468 85465 40c740 75 API calls 85464->85465 85466 42a5a2 85465->85466 85479 404020 75 API calls moneypunct 85467->85479 85470 401380 75 API calls 85468->85470 85472 40222d 85470->85472 85471 40220c _memcpy_s 85471->85390 85472->85466 85473 41171a 75 API calls 85472->85473 85473->85471 85475 402ae0 75 API calls 85474->85475 85476 401cf7 85475->85476 85476->85390 85477->85394 85478->85392 85479->85471 85481 40f580 77 API calls 85480->85481 85482 40f5f8 _strcat moneypunct 85481->85482 85540 40f6d0 85482->85540 85487 42b2ee 85569 4151b0 85487->85569 85489 40f679 85489->85487 85490 40f681 85489->85490 85556 414e94 85490->85556 85494 40f68b 85494->85404 85499 452574 85494->85499 85496 42b31d 85575 415484 85496->85575 85498 42b33d 85500 41557c _fseek 105 API calls 85499->85500 85501 4525df 85500->85501 86130 4523ce 85501->86130 85504 4525fc 85504->85406 85505 4151b0 __fread_nolock 81 API calls 85506 45261d 85505->85506 85507 4151b0 __fread_nolock 81 API calls 85506->85507 85508 45262e 85507->85508 85509 4151b0 __fread_nolock 81 API calls 85508->85509 85510 452649 85509->85510 85511 4151b0 __fread_nolock 81 API calls 85510->85511 85512 452666 85511->85512 85513 41557c _fseek 105 API calls 85512->85513 85514 452682 85513->85514 85515 4138ba _malloc 67 API calls 85514->85515 85516 45268e 85515->85516 85517 4138ba _malloc 67 API calls 85516->85517 85518 45269b 85517->85518 85519 4151b0 __fread_nolock 81 API calls 85518->85519 85520 4526ac 85519->85520 85521 44afdc GetSystemTimeAsFileTime 85520->85521 85522 4526bf 85521->85522 85523 4526d5 85522->85523 85524 4526fd 85522->85524 85525 413a88 __mtterm 67 API calls 85523->85525 85526 452704 85524->85526 85527 45275b 85524->85527 85529 4526df 85525->85529 86136 44b195 85526->86136 85528 413a88 __mtterm 67 API calls 85527->85528 85531 452759 85528->85531 85532 413a88 __mtterm 67 API calls 85529->85532 85531->85406 85534 4526e8 85532->85534 85533 452753 85535 413a88 __mtterm 67 API calls 85533->85535 85534->85406 85535->85531 85537 434feb 85536->85537 85539 434ff1 85536->85539 85538 414e94 __fcloseall 106 API calls 85537->85538 85538->85539 85539->85409 85541 40f6dd _strlen 85540->85541 85588 40f790 85541->85588 85544 414e06 85673 414d40 85544->85673 85546 40f666 85546->85487 85547 40f450 85546->85547 85551 40f45a _strcat _memcpy_s __write_nolock 85547->85551 85548 4151b0 __fread_nolock 81 API calls 85548->85551 85550 42936d 85552 41557c _fseek 105 API calls 85550->85552 85551->85548 85551->85550 85555 40f531 85551->85555 85756 41557c 85551->85756 85553 429394 85552->85553 85554 4151b0 __fread_nolock 81 API calls 85553->85554 85554->85555 85555->85489 85557 414ea0 _doexit 85556->85557 85558 414ed1 85557->85558 85559 414eb4 85557->85559 85562 415965 __lock_file 68 API calls 85558->85562 85568 414ec9 _doexit 85558->85568 85886 417f23 67 API calls __getptd_noexit 85559->85886 85561 414eb9 85887 417ebb 6 API calls 2 library calls 85561->85887 85563 414ee9 85562->85563 85870 414e1d 85563->85870 85568->85494 85955 41511a 85569->85955 85571 4151c8 85572 44afdc 85571->85572 86123 4431e0 85572->86123 85574 44affd 85574->85496 85576 415490 _doexit 85575->85576 85577 4154bb 85576->85577 85578 41549e 85576->85578 85580 415965 __lock_file 68 API calls 85577->85580 86127 417f23 67 API calls __getptd_noexit 85578->86127 85582 4154c3 85580->85582 85581 4154a3 86128 417ebb 6 API calls 2 library calls 85581->86128 85584 4152e7 __ftell_nolock 71 API calls 85582->85584 85585 4154cf 85584->85585 86129 4154e8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 85585->86129 85587 4154b3 _doexit 85587->85498 85590 40f7ae _memset 85588->85590 85591 40f628 85590->85591 85592 415258 85590->85592 85591->85544 85593 415285 85592->85593 85594 415268 85592->85594 85593->85594 85595 41528c 85593->85595 85603 417f23 67 API calls __getptd_noexit 85594->85603 85605 41c551 103 API calls 14 library calls 85595->85605 85598 41526d 85604 417ebb 6 API calls 2 library calls 85598->85604 85599 4152b2 85601 41527d 85599->85601 85606 4191c9 85599->85606 85601->85590 85603->85598 85605->85599 85627 41453a 85606->85627 85609 4191e4 85636 417f23 67 API calls __getptd_noexit 85609->85636 85610 4191fb 85612 4191ff 85610->85612 85622 41920c __flsbuf 85610->85622 85637 417f23 67 API calls __getptd_noexit 85612->85637 85614 41926d 85615 4192fc 85614->85615 85616 41927c 85614->85616 85617 41c3cf __locking 101 API calls 85615->85617 85618 419293 85616->85618 85623 4192b0 85616->85623 85621 4191e9 85617->85621 85647 41c3cf 85618->85647 85621->85601 85622->85614 85622->85621 85624 419262 85622->85624 85638 423649 85622->85638 85623->85621 85672 4234e7 71 API calls 5 library calls 85623->85672 85624->85614 85633 423600 85624->85633 85628 41455e 85627->85628 85629 414549 85627->85629 85628->85609 85628->85610 85630 417f23 __stricmp_l 67 API calls 85629->85630 85631 41454e 85630->85631 85632 417ebb __stricmp_l 6 API calls 85631->85632 85632->85628 85634 416fb6 __malloc_crt 67 API calls 85633->85634 85635 423615 85634->85635 85635->85614 85636->85621 85637->85621 85639 423656 85638->85639 85640 423665 85638->85640 85641 417f23 __stricmp_l 67 API calls 85639->85641 85643 423689 85640->85643 85644 417f23 __stricmp_l 67 API calls 85640->85644 85642 42365b 85641->85642 85642->85624 85643->85624 85645 423679 85644->85645 85646 417ebb __stricmp_l 6 API calls 85645->85646 85646->85643 85648 41c3db _doexit 85647->85648 85649 41c3e3 85648->85649 85650 41c3fe 85648->85650 85651 417f36 __lseeki64 67 API calls 85649->85651 85652 41c40c 85650->85652 85655 41c44d 85650->85655 85653 41c3e8 85651->85653 85654 417f36 __lseeki64 67 API calls 85652->85654 85656 417f23 __stricmp_l 67 API calls 85653->85656 85657 41c411 85654->85657 85658 41ba3b ___lock_fhandle 68 API calls 85655->85658 85665 41c3f0 _doexit 85656->85665 85659 417f23 __stricmp_l 67 API calls 85657->85659 85660 41c453 85658->85660 85661 41c418 85659->85661 85663 41c460 85660->85663 85664 41c476 85660->85664 85662 417ebb __stricmp_l 6 API calls 85661->85662 85662->85665 85666 41bc9c __write_nolock 99 API calls 85663->85666 85667 417f23 __stricmp_l 67 API calls 85664->85667 85665->85621 85668 41c46e 85666->85668 85669 41c47b 85667->85669 85671 41c4a1 __locking RtlLeaveCriticalSection 85668->85671 85670 417f36 __lseeki64 67 API calls 85669->85670 85670->85668 85671->85665 85672->85621 85676 414d4c _doexit 85673->85676 85674 414d5f 85725 417f23 67 API calls __getptd_noexit 85674->85725 85676->85674 85678 414d95 85676->85678 85677 414d64 85726 417ebb 6 API calls 2 library calls 85677->85726 85692 41e28c 85678->85692 85681 414d9a 85682 414da1 85681->85682 85683 414dae 85681->85683 85727 417f23 67 API calls __getptd_noexit 85682->85727 85685 414dd6 85683->85685 85686 414db6 85683->85686 85710 41dfd8 85685->85710 85728 417f23 67 API calls __getptd_noexit 85686->85728 85689 414d74 _doexit @_EH4_CallFilterFunc@8 85689->85546 85693 41e298 _doexit 85692->85693 85694 418407 __lock 67 API calls 85693->85694 85695 41e2a6 85694->85695 85696 41e322 85695->85696 85700 418344 __mtinitlocknum 67 API calls 85695->85700 85707 41e31b 85695->85707 85733 4159a6 68 API calls __lock 85695->85733 85734 415a14 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 85695->85734 85698 416fb6 __malloc_crt 67 API calls 85696->85698 85699 41e32c 85698->85699 85699->85707 85735 4189e6 InitializeCriticalSectionAndSpinCount _doexit 85699->85735 85700->85695 85702 41e3b0 _doexit 85702->85681 85704 41e351 85705 41e35c 85704->85705 85706 41e36f RtlEnterCriticalSection 85704->85706 85708 413a88 __mtterm 67 API calls 85705->85708 85706->85707 85730 41e3bb 85707->85730 85708->85707 85717 41dffb __wopenfile 85710->85717 85711 41e015 85740 417f23 67 API calls __getptd_noexit 85711->85740 85713 41e01a 85741 417ebb 6 API calls 2 library calls 85713->85741 85715 41e247 85737 425db0 85715->85737 85717->85711 85724 41e1e9 85717->85724 85742 4136bc 79 API calls 2 library calls 85717->85742 85720 41e1e2 85720->85724 85743 4136bc 79 API calls 2 library calls 85720->85743 85722 41e201 85722->85724 85744 4136bc 79 API calls 2 library calls 85722->85744 85724->85711 85724->85715 85725->85677 85727->85689 85728->85689 85729 414dfc RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 85729->85689 85736 41832d RtlLeaveCriticalSection 85730->85736 85732 41e3c2 85732->85702 85733->85695 85734->85695 85735->85704 85736->85732 85745 425ce4 85737->85745 85739 414de1 85739->85729 85740->85713 85742->85720 85743->85722 85744->85724 85748 425cf0 _doexit 85745->85748 85746 425d03 85747 417f23 __stricmp_l 67 API calls 85746->85747 85749 425d08 85747->85749 85748->85746 85750 425d41 85748->85750 85751 417ebb __stricmp_l 6 API calls 85749->85751 85752 4255c4 __tsopen_nolock 132 API calls 85750->85752 85754 425d17 _doexit 85751->85754 85753 425d5b 85752->85753 85755 425d82 __sopen_helper RtlLeaveCriticalSection 85753->85755 85754->85739 85755->85754 85757 415588 _doexit 85756->85757 85758 415596 85757->85758 85760 4155c4 85757->85760 85787 417f23 67 API calls __getptd_noexit 85758->85787 85769 415965 85760->85769 85762 41559b 85788 417ebb 6 API calls 2 library calls 85762->85788 85768 4155ab _doexit 85768->85551 85770 415977 85769->85770 85771 415999 RtlEnterCriticalSection 85769->85771 85770->85771 85772 41597f 85770->85772 85774 4155cc 85771->85774 85773 418407 __lock 67 API calls 85772->85773 85773->85774 85775 4154f2 85774->85775 85776 415502 85775->85776 85778 415512 85775->85778 85838 417f23 67 API calls __getptd_noexit 85776->85838 85782 415524 85778->85782 85790 4152e7 85778->85790 85780 415507 85789 4155f7 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 85780->85789 85807 41486c 85782->85807 85784 41453a __fileno 67 API calls 85785 415564 85784->85785 85813 41efd4 85785->85813 85787->85762 85789->85768 85791 41531a 85790->85791 85792 4152fa 85790->85792 85793 41453a __fileno 67 API calls 85791->85793 85839 417f23 67 API calls __getptd_noexit 85792->85839 85795 415320 85793->85795 85798 41efd4 __locking 71 API calls 85795->85798 85796 4152ff 85840 417ebb 6 API calls 2 library calls 85796->85840 85799 415335 85798->85799 85800 4153a9 85799->85800 85802 415364 85799->85802 85806 41530f 85799->85806 85841 417f23 67 API calls __getptd_noexit 85800->85841 85803 41efd4 __locking 71 API calls 85802->85803 85802->85806 85804 415404 85803->85804 85805 41efd4 __locking 71 API calls 85804->85805 85804->85806 85805->85806 85806->85782 85808 414885 85807->85808 85812 4148a7 85807->85812 85809 41453a __fileno 67 API calls 85808->85809 85808->85812 85810 4148a0 85809->85810 85811 41c3cf __locking 101 API calls 85810->85811 85811->85812 85812->85784 85814 41efe0 _doexit 85813->85814 85815 41f003 85814->85815 85816 41efe8 85814->85816 85818 41f011 85815->85818 85821 41f052 85815->85821 85862 417f36 67 API calls __getptd_noexit 85816->85862 85864 417f36 67 API calls __getptd_noexit 85818->85864 85819 41efed 85863 417f23 67 API calls __getptd_noexit 85819->85863 85842 41ba3b 85821->85842 85823 41f016 85865 417f23 67 API calls __getptd_noexit 85823->85865 85826 41f01d 85866 417ebb 6 API calls 2 library calls 85826->85866 85827 41f058 85829 41f065 85827->85829 85830 41f07b 85827->85830 85852 41ef5f 85829->85852 85867 417f23 67 API calls __getptd_noexit 85830->85867 85831 41eff5 _doexit 85831->85780 85834 41f073 85869 41f0a6 RtlLeaveCriticalSection __unlock_fhandle 85834->85869 85835 41f080 85868 417f36 67 API calls __getptd_noexit 85835->85868 85838->85780 85839->85796 85841->85806 85844 41ba47 _doexit 85842->85844 85843 41baa2 85846 41bac4 _doexit 85843->85846 85847 41baa7 RtlEnterCriticalSection 85843->85847 85844->85843 85845 418407 __lock 67 API calls 85844->85845 85848 41ba73 85845->85848 85846->85827 85847->85846 85849 41ba8a 85848->85849 85850 4189e6 __getstream InitializeCriticalSectionAndSpinCount 85848->85850 85851 41bad2 ___lock_fhandle RtlLeaveCriticalSection 85849->85851 85850->85849 85851->85843 85853 41b9c4 __chsize_nolock 67 API calls 85852->85853 85854 41ef6e 85853->85854 85855 41ef84 SetFilePointer 85854->85855 85856 41ef74 85854->85856 85858 41efa3 85855->85858 85859 41ef9b GetLastError 85855->85859 85857 417f23 __stricmp_l 67 API calls 85856->85857 85860 41ef79 85857->85860 85858->85860 85861 417f49 __dosmaperr 67 API calls 85858->85861 85859->85858 85860->85834 85861->85860 85862->85819 85863->85831 85864->85823 85865->85826 85867->85835 85868->85834 85869->85831 85871 414e31 85870->85871 85872 414e4d 85870->85872 85916 417f23 67 API calls __getptd_noexit 85871->85916 85874 414e46 85872->85874 85876 41486c __flush 101 API calls 85872->85876 85888 414f08 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 85874->85888 85875 414e36 85917 417ebb 6 API calls 2 library calls 85875->85917 85877 414e59 85876->85877 85889 41e680 85877->85889 85881 41453a __fileno 67 API calls 85882 414e67 85881->85882 85893 41e5b3 85882->85893 85884 414e6d 85884->85874 85885 413a88 __mtterm 67 API calls 85884->85885 85885->85874 85886->85561 85888->85568 85890 41e690 85889->85890 85891 414e61 85889->85891 85890->85891 85892 413a88 __mtterm 67 API calls 85890->85892 85891->85881 85892->85891 85894 41e5bf _doexit 85893->85894 85895 41e5e2 85894->85895 85896 41e5c7 85894->85896 85898 41e5f0 85895->85898 85901 41e631 85895->85901 85933 417f36 67 API calls __getptd_noexit 85896->85933 85935 417f36 67 API calls __getptd_noexit 85898->85935 85899 41e5cc 85934 417f23 67 API calls __getptd_noexit 85899->85934 85904 41ba3b ___lock_fhandle 68 API calls 85901->85904 85903 41e5f5 85936 417f23 67 API calls __getptd_noexit 85903->85936 85906 41e637 85904->85906 85909 41e652 85906->85909 85910 41e644 85906->85910 85907 41e5fc 85937 417ebb 6 API calls 2 library calls 85907->85937 85938 417f23 67 API calls __getptd_noexit 85909->85938 85918 41e517 85910->85918 85911 41e5d4 _doexit 85911->85884 85914 41e64c 85939 41e676 RtlLeaveCriticalSection __unlock_fhandle 85914->85939 85916->85875 85940 41b9c4 85918->85940 85920 41e57d 85953 41b93e 68 API calls 2 library calls 85920->85953 85921 41e527 85921->85920 85923 41e55b 85921->85923 85926 41b9c4 __chsize_nolock 67 API calls 85921->85926 85923->85920 85924 41b9c4 __chsize_nolock 67 API calls 85923->85924 85927 41e567 CloseHandle 85924->85927 85925 41e585 85928 41e5a7 85925->85928 85954 417f49 67 API calls 3 library calls 85925->85954 85929 41e552 85926->85929 85927->85920 85930 41e573 GetLastError 85927->85930 85928->85914 85932 41b9c4 __chsize_nolock 67 API calls 85929->85932 85930->85920 85932->85923 85933->85899 85934->85911 85935->85903 85936->85907 85938->85914 85939->85911 85941 41b9d1 85940->85941 85942 41b9e9 85940->85942 85943 417f36 __lseeki64 67 API calls 85941->85943 85944 417f36 __lseeki64 67 API calls 85942->85944 85952 41ba2e 85942->85952 85945 41b9d6 85943->85945 85946 41ba17 85944->85946 85947 417f23 __stricmp_l 67 API calls 85945->85947 85948 417f23 __stricmp_l 67 API calls 85946->85948 85949 41b9de 85947->85949 85950 41ba1e 85948->85950 85949->85921 85951 417ebb __stricmp_l 6 API calls 85950->85951 85951->85952 85952->85921 85953->85925 85954->85928 85956 415126 _doexit 85955->85956 85957 41516f 85956->85957 85958 415164 _doexit 85956->85958 85961 41513a _memset 85956->85961 85959 415965 __lock_file 68 API calls 85957->85959 85958->85571 85960 415177 85959->85960 85968 414f10 85960->85968 85984 417f23 67 API calls __getptd_noexit 85961->85984 85964 415154 85985 417ebb 6 API calls 2 library calls 85964->85985 85972 414f2e _memset 85968->85972 85974 414f4c 85968->85974 85969 414f37 86037 417f23 67 API calls __getptd_noexit 85969->86037 85971 414f3c 86038 417ebb 6 API calls 2 library calls 85971->86038 85972->85969 85972->85974 85981 414f8b 85972->85981 85986 4151a6 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 85974->85986 85976 4150d5 _memset 86041 417f23 67 API calls __getptd_noexit 85976->86041 85977 4150a9 _memset 86040 417f23 67 API calls __getptd_noexit 85977->86040 85978 41453a __fileno 67 API calls 85978->85981 85981->85974 85981->85976 85981->85977 85981->85978 85987 41ed9e 85981->85987 86017 41e6b1 85981->86017 86039 41ee9b 67 API calls 3 library calls 85981->86039 85984->85964 85986->85958 85988 41edaa _doexit 85987->85988 85989 41edb2 85988->85989 85990 41edcd 85988->85990 86111 417f36 67 API calls __getptd_noexit 85989->86111 85992 41eddb 85990->85992 85995 41ee1c 85990->85995 86113 417f36 67 API calls __getptd_noexit 85992->86113 85993 41edb7 86112 417f23 67 API calls __getptd_noexit 85993->86112 85998 41ee29 85995->85998 85999 41ee3d 85995->85999 85997 41ede0 86114 417f23 67 API calls __getptd_noexit 85997->86114 86116 417f36 67 API calls __getptd_noexit 85998->86116 86002 41ba3b ___lock_fhandle 68 API calls 85999->86002 86005 41ee43 86002->86005 86003 41ede7 86115 417ebb 6 API calls 2 library calls 86003->86115 86004 41ee2e 86117 417f23 67 API calls __getptd_noexit 86004->86117 86009 41ee50 86005->86009 86010 41ee66 86005->86010 86008 41edbf _doexit 86008->85981 86042 41e7dc 86009->86042 86118 417f23 67 API calls __getptd_noexit 86010->86118 86013 41ee6b 86119 417f36 67 API calls __getptd_noexit 86013->86119 86014 41ee5e 86120 41ee91 RtlLeaveCriticalSection __unlock_fhandle 86014->86120 86018 41e6c1 86017->86018 86022 41e6de 86017->86022 86121 417f23 67 API calls __getptd_noexit 86018->86121 86020 41e6c6 86122 417ebb 6 API calls 2 library calls 86020->86122 86023 41e713 86022->86023 86024 423600 __getbuf 67 API calls 86022->86024 86029 41e6d6 86022->86029 86025 41453a __fileno 67 API calls 86023->86025 86024->86023 86026 41e727 86025->86026 86027 41ed9e __read 79 API calls 86026->86027 86028 41e72e 86027->86028 86028->86029 86030 41453a __fileno 67 API calls 86028->86030 86029->85981 86031 41e751 86030->86031 86031->86029 86032 41453a __fileno 67 API calls 86031->86032 86033 41e75d 86032->86033 86033->86029 86034 41453a __fileno 67 API calls 86033->86034 86035 41e769 86034->86035 86036 41453a __fileno 67 API calls 86035->86036 86036->86029 86037->85971 86039->85981 86040->85971 86041->85971 86043 41e813 86042->86043 86044 41e7f8 86042->86044 86045 41e822 86043->86045 86047 41e849 86043->86047 86046 417f36 __lseeki64 67 API calls 86044->86046 86048 417f36 __lseeki64 67 API calls 86045->86048 86049 41e7fd 86046->86049 86051 41e868 86047->86051 86062 41e87c 86047->86062 86050 41e827 86048->86050 86052 417f23 __stricmp_l 67 API calls 86049->86052 86054 417f23 __stricmp_l 67 API calls 86050->86054 86055 417f36 __lseeki64 67 API calls 86051->86055 86063 41e805 86052->86063 86053 41e8d4 86057 417f36 __lseeki64 67 API calls 86053->86057 86056 41e82e 86054->86056 86058 41e86d 86055->86058 86059 417ebb __stricmp_l 6 API calls 86056->86059 86060 41e8d9 86057->86060 86061 417f23 __stricmp_l 67 API calls 86058->86061 86059->86063 86064 417f23 __stricmp_l 67 API calls 86060->86064 86065 41e874 86061->86065 86062->86053 86062->86063 86066 41e8b0 86062->86066 86067 41e8f5 86062->86067 86063->86014 86064->86065 86068 417ebb __stricmp_l 6 API calls 86065->86068 86066->86053 86071 41e8bb ReadFile 86066->86071 86070 416fb6 __malloc_crt 67 API calls 86067->86070 86068->86063 86072 41e90b 86070->86072 86073 41ed62 GetLastError 86071->86073 86074 41e9e7 86071->86074 86077 41e931 86072->86077 86078 41e913 86072->86078 86075 41ebe8 86073->86075 86076 41ed6f 86073->86076 86074->86073 86081 41e9fb 86074->86081 86085 417f49 __dosmaperr 67 API calls 86075->86085 86106 41eb6d 86075->86106 86079 417f23 __stricmp_l 67 API calls 86076->86079 86082 423462 __lseeki64_nolock 69 API calls 86077->86082 86080 417f23 __stricmp_l 67 API calls 86078->86080 86083 41ed74 86079->86083 86084 41e918 86080->86084 86089 41ea17 86081->86089 86090 41ec2d 86081->86090 86081->86106 86086 41e93d 86082->86086 86087 417f36 __lseeki64 67 API calls 86083->86087 86088 417f36 __lseeki64 67 API calls 86084->86088 86085->86106 86086->86071 86087->86106 86088->86063 86092 41ea7d ReadFile 86089->86092 86098 41eafa 86089->86098 86093 41eca5 ReadFile 86090->86093 86090->86106 86091 413a88 __mtterm 67 API calls 86091->86063 86096 41ea9b GetLastError 86092->86096 86101 41eaa5 86092->86101 86094 41ecc4 GetLastError 86093->86094 86102 41ecce 86093->86102 86094->86090 86094->86102 86095 41ebbe MultiByteToWideChar 86097 41ebe2 GetLastError 86095->86097 86095->86106 86096->86089 86096->86101 86097->86075 86099 41eb75 86098->86099 86100 41eb68 86098->86100 86098->86106 86107 41eb32 86098->86107 86099->86107 86108 41ebac 86099->86108 86103 417f23 __stricmp_l 67 API calls 86100->86103 86101->86089 86104 423462 __lseeki64_nolock 69 API calls 86101->86104 86102->86090 86105 423462 __lseeki64_nolock 69 API calls 86102->86105 86103->86106 86104->86101 86105->86102 86106->86063 86106->86091 86107->86095 86109 423462 __lseeki64_nolock 69 API calls 86108->86109 86110 41ebbb 86109->86110 86110->86095 86111->85993 86112->86008 86113->85997 86114->86003 86116->86004 86117->86003 86118->86013 86119->86014 86120->86008 86121->86020 86126 414cef GetSystemTimeAsFileTime __aulldiv 86123->86126 86125 4431ef 86125->85574 86126->86125 86127->85581 86129->85587 86135 4523e1 _wcscpy 86130->86135 86131 4151b0 81 API calls __fread_nolock 86131->86135 86132 44afdc GetSystemTimeAsFileTime 86132->86135 86133 452553 86133->85504 86133->85505 86134 41557c 105 API calls _fseek 86134->86135 86135->86131 86135->86132 86135->86133 86135->86134 86137 44b1b4 86136->86137 86138 44b1a6 86136->86138 86140 44b1ca 86137->86140 86141 44b1c2 86137->86141 86142 414e06 138 API calls 86137->86142 86139 414e06 138 API calls 86138->86139 86139->86137 86171 4352d1 86140->86171 86141->85533 86144 44b2c1 86142->86144 86144->86140 86146 44b2cf 86144->86146 86145 44b20d 86148 44b211 86145->86148 86149 44b23b 86145->86149 86147 44b2dc 86146->86147 86150 414e94 __fcloseall 106 API calls 86146->86150 86147->85533 86152 44b21e 86148->86152 86154 414e94 __fcloseall 106 API calls 86148->86154 86175 43526e 86149->86175 86150->86147 86155 44b22e 86152->86155 86158 414e94 __fcloseall 106 API calls 86152->86158 86153 44b242 86156 44b270 86153->86156 86157 44b248 86153->86157 86154->86152 86155->85533 86185 44b0af 86156->86185 86160 414e94 __fcloseall 106 API calls 86157->86160 86161 44b255 86157->86161 86158->86155 86160->86161 86162 44b265 86161->86162 86165 414e94 __fcloseall 106 API calls 86161->86165 86162->85533 86163 44b276 86194 43522c 86163->86194 86165->86162 86167 44b289 86169 44b299 86167->86169 86170 414e94 __fcloseall 106 API calls 86167->86170 86168 414e94 __fcloseall 106 API calls 86168->86167 86169->85533 86170->86169 86172 4352f7 86171->86172 86174 4352df _memcpy_s 86171->86174 86173 4151b0 __fread_nolock 81 API calls 86172->86173 86173->86174 86174->86145 86176 4138ba _malloc 67 API calls 86175->86176 86177 43527d 86176->86177 86178 4138ba _malloc 67 API calls 86177->86178 86179 43528d 86178->86179 86180 4138ba _malloc 67 API calls 86179->86180 86181 43529d 86180->86181 86182 43522c 67 API calls 86181->86182 86183 4352bc 86181->86183 86184 4352c8 86182->86184 86183->86153 86184->86153 86186 44b17a 86185->86186 86190 44b0ca 86185->86190 86206 4351a6 86186->86206 86188 443236 81 API calls 86188->86190 86190->86186 86190->86188 86193 44b189 86190->86193 86202 4432cd 86190->86202 86210 44b03a 81 API calls 86190->86210 86193->86163 86195 435241 86194->86195 86196 43523b 86194->86196 86198 435254 86195->86198 86200 413a88 __mtterm 67 API calls 86195->86200 86197 413a88 __mtterm 67 API calls 86196->86197 86197->86195 86199 435267 86198->86199 86201 413a88 __mtterm 67 API calls 86198->86201 86199->86167 86199->86168 86200->86198 86201->86199 86203 443341 86202->86203 86204 4432e3 86202->86204 86203->86204 86211 4351d9 86203->86211 86204->86190 86207 4351b5 86206->86207 86209 4351c8 86206->86209 86208 4146ce 103 API calls 86207->86208 86208->86209 86209->86163 86210->86190 86212 435204 86211->86212 86214 43521b 86211->86214 86215 4146ce 86212->86215 86214->86203 86216 4146da _doexit 86215->86216 86217 414712 86216->86217 86218 4146f2 86216->86218 86221 414707 _doexit 86216->86221 86219 415965 __lock_file 68 API calls 86217->86219 86220 417f23 __stricmp_l 67 API calls 86218->86220 86222 41471a 86219->86222 86223 4146f7 86220->86223 86221->86214 86224 41456c 101 API calls 86222->86224 86225 417ebb __stricmp_l 6 API calls 86223->86225 86226 41472f 86224->86226 86225->86221 86227 414746 RtlLeaveCriticalSection RtlLeaveCriticalSection 86226->86227 86227->86221 86228->85420 86229->85423 86230->85440 86231->85440 86232->85440 86233->85439 86234->85440 86235->85440 86236->85445 86237->85454 86239->85456 86240->85346 86242 410148 SHGetDesktopFolder 86241->86242 86245 4101a3 _wcscpy 86241->86245 86243 41015a _wcscpy 86242->86243 86242->86245 86244 41018a SHGetPathFromIDListW 86243->86244 86243->86245 86244->86245 86245->85348 86246->85351 86248 40f5e0 152 API calls 86247->86248 86249 40f417 86248->86249 86250 42ca37 86249->86250 86251 40f42c 86249->86251 86252 42ca1f 86249->86252 86253 452574 140 API calls 86250->86253 86278 4037e0 139 API calls 7 library calls 86251->86278 86279 43717f 110 API calls _printf 86252->86279 86254 42ca50 86253->86254 86257 42ca76 86254->86257 86258 42ca54 86254->86258 86262 41171a 75 API calls 86257->86262 86261 434fe1 106 API calls 86258->86261 86259 40f446 86259->85349 86260 42ca2d 86260->86250 86263 42ca5e 86261->86263 86277 42cacc moneypunct 86262->86277 86280 43717f 110 API calls _printf 86263->86280 86265 42ca6c 86265->86257 86266 42ccc3 86267 413a88 __mtterm 67 API calls 86266->86267 86268 42cccd 86267->86268 86269 434fe1 106 API calls 86268->86269 86270 42ccda 86269->86270 86274 401b70 75 API calls 86274->86277 86277->86266 86277->86274 86281 445051 75 API calls _memcpy_s 86277->86281 86282 44c80c 87 API calls 3 library calls 86277->86282 86283 44b408 75 API calls 86277->86283 86284 402cc0 75 API calls 2 library calls 86277->86284 86285 4026a0 75 API calls moneypunct 86277->86285 86278->86259 86279->86260 86280->86265 86281->86277 86282->86277 86283->86277 86284->86277 86285->86277 86287 410390 LoadIconW 86286->86287 86289 40d790 86287->86289 86289->85360 86290->85359 86292 401bfb 86291->86292 86312 401cde 86291->86312 86314 4013a0 86292->86314 86295 42a9a0 LoadStringW 86298 42a9bb 86295->86298 86296 401c18 86297 4021e0 75 API calls 86296->86297 86299 401c2d 86297->86299 86320 40df50 75 API calls 86298->86320 86301 401c3a 86299->86301 86302 42a9cd 86299->86302 86301->86298 86303 401c44 86301->86303 86321 40d3b0 75 API calls 2 library calls 86302->86321 86319 40d3b0 75 API calls 2 library calls 86303->86319 86306 42a9dc 86307 401c53 _memset _wcscpy _wcsncpy 86306->86307 86308 42a9f0 86306->86308 86311 401cc2 Shell_NotifyIconW 86307->86311 86322 40d3b0 75 API calls 2 library calls 86308->86322 86310 42a9fe 86311->86312 86312->85370 86313->85365 86315 41171a 75 API calls 86314->86315 86316 4013c4 86315->86316 86317 401380 75 API calls 86316->86317 86318 4013d3 86317->86318 86318->86295 86318->86296 86319->86307 86320->86307 86321->86306 86322->86310 86323 18423f0 86337 1840000 86323->86337 86325 18424db 86340 18422e0 86325->86340 86327 1842504 CreateFileW 86329 1842558 86327->86329 86336 1842553 86327->86336 86330 184256f VirtualAlloc 86329->86330 86329->86336 86331 1842590 ReadFile 86330->86331 86330->86336 86332 18425ab 86331->86332 86331->86336 86333 1841070 12 API calls 86332->86333 86334 18425c5 86333->86334 86335 18412e0 GetPEB GetPEB 86334->86335 86335->86336 86343 1843520 GetPEB 86337->86343 86339 184068b 86339->86325 86341 18422e9 Sleep 86340->86341 86342 18422f7 86341->86342 86344 184354a 86343->86344 86344->86339 86345 42919b 86350 40ef10 86345->86350 86348 411421 __cinit 74 API calls 86349 4291aa 86348->86349 86351 41171a 75 API calls 86350->86351 86352 40ef17 86351->86352 86353 42ad48 86352->86353 86358 40ef40 74 API calls __cinit 86352->86358 86355 40ef2a 86359 40e470 86355->86359 86358->86355 86360 40c060 75 API calls 86359->86360 86361 40e483 GetVersionExW 86360->86361 86362 4021e0 75 API calls 86361->86362 86363 40e4bb 86362->86363 86385 40e600 86363->86385 86368 42accc 86371 42ad28 GetSystemInfo 86368->86371 86374 42ad38 GetSystemInfo 86371->86374 86372 40e557 GetCurrentProcess 86405 40ee30 LoadLibraryA GetProcAddress 86372->86405 86373 40e56c 86373->86374 86398 40eee0 86373->86398 86378 40e5c9 86402 40eea0 86378->86402 86381 40e5e0 86383 40e5f1 FreeLibrary 86381->86383 86384 40e5f4 86381->86384 86382 40e5dd FreeLibrary 86382->86381 86383->86384 86384->86348 86386 40e60b 86385->86386 86387 40c740 75 API calls 86386->86387 86388 40e4c2 86387->86388 86389 40e620 86388->86389 86390 40e62a 86389->86390 86391 42ac93 86390->86391 86392 40c740 75 API calls 86390->86392 86393 40e4ce 86392->86393 86393->86368 86394 40ee70 86393->86394 86395 40e551 86394->86395 86396 40ee76 LoadLibraryA 86394->86396 86395->86372 86395->86373 86396->86395 86397 40ee87 GetProcAddress 86396->86397 86397->86395 86399 40e5bf 86398->86399 86400 40eee6 LoadLibraryA 86398->86400 86399->86371 86399->86378 86400->86399 86401 40eef7 GetProcAddress 86400->86401 86401->86399 86406 40eec0 LoadLibraryA GetProcAddress 86402->86406 86404 40e5d3 GetNativeSystemInfo 86404->86381 86404->86382 86405->86373 86406->86404 86407 46caaa 86408 46cac6 86407->86408 86409 46cad1 86407->86409 86520 40c760 78 API calls 86408->86520 86411 453063 111 API calls 86409->86411 86413 46cae0 86411->86413 86412 46cd92 86413->86412 86414 46caed 86413->86414 86415 46cbeb 86413->86415 86416 453081 111 API calls 86414->86416 86417 40f5e0 152 API calls 86415->86417 86421 46caf8 _wcscpy _wcschr 86416->86421 86418 46cbfc 86417->86418 86419 46cc13 86418->86419 86420 46cc01 86418->86420 86423 453081 111 API calls 86419->86423 86422 404120 VariantClear 86420->86422 86431 46cb16 _wcscat _wcscpy 86421->86431 86435 46cb44 _wcscat 86421->86435 86424 46cbc4 86422->86424 86425 46cc39 86423->86425 86427 4092c0 VariantClear 86424->86427 86426 413db0 __wsplitpath 67 API calls 86425->86426 86437 46cc3f _wcscat _wcscpy 86426->86437 86428 46cbd0 86427->86428 86429 453081 111 API calls 86430 46cb5e _wcscpy 86429->86430 86521 436ac4 GetFileAttributesW 86430->86521 86433 453081 111 API calls 86431->86433 86433->86435 86434 46cb79 _wcslen 86434->86424 86436 453081 111 API calls 86434->86436 86435->86429 86438 46cbae 86436->86438 86439 453081 111 API calls 86437->86439 86522 44bd29 103 API calls 4 library calls 86438->86522 86441 46cce4 86439->86441 86457 436879 86441->86457 86442 46cbb9 86442->86412 86442->86424 86444 46ccea 86464 436b22 86444->86464 86447 46cd02 86449 4092c0 VariantClear 86447->86449 86448 453081 111 API calls 86450 46cd1b 86448->86450 86451 46cd46 86449->86451 86467 452788 86450->86467 86454 434fe1 106 API calls 86451->86454 86453 46cd26 86453->86451 86456 404120 VariantClear 86453->86456 86455 46cd5d 86454->86455 86456->86447 86458 436883 _wcschr __write_nolock 86457->86458 86459 4368a2 _wcscpy 86458->86459 86460 413db0 __wsplitpath 67 API calls 86458->86460 86459->86444 86461 4368df 86460->86461 86462 413db0 __wsplitpath 67 API calls 86461->86462 86463 436905 _wcscat _wcscpy 86462->86463 86463->86444 86523 436ade GetFileAttributesW 86464->86523 86466 436b2c 86466->86447 86466->86448 86468 452798 __write_nolock 86467->86468 86469 4431e0 GetSystemTimeAsFileTime 86468->86469 86470 4527ec 86469->86470 86471 41557c _fseek 105 API calls 86470->86471 86472 452801 86471->86472 86473 4528f1 86472->86473 86474 45281a 86472->86474 86476 4523ce 114 API calls 86473->86476 86475 4523ce 114 API calls 86474->86475 86477 452829 86475->86477 86492 4528b5 _wcscat 86476->86492 86478 45282d 86477->86478 86479 413db0 __wsplitpath 67 API calls 86477->86479 86478->86453 86484 452861 _wcscat _wcscpy 86479->86484 86480 4151b0 __fread_nolock 81 API calls 86481 452919 86480->86481 86482 4151b0 __fread_nolock 81 API calls 86481->86482 86483 45292a 86482->86483 86485 4151b0 __fread_nolock 81 API calls 86483->86485 86487 413db0 __wsplitpath 67 API calls 86484->86487 86486 452949 86485->86486 86488 4151b0 __fread_nolock 81 API calls 86486->86488 86487->86492 86489 45295a 86488->86489 86490 4151b0 __fread_nolock 81 API calls 86489->86490 86491 45297b 86490->86491 86493 4151b0 __fread_nolock 81 API calls 86491->86493 86492->86478 86492->86480 86494 45298c 86493->86494 86495 4151b0 __fread_nolock 81 API calls 86494->86495 86496 45299d 86495->86496 86497 4151b0 __fread_nolock 81 API calls 86496->86497 86498 4529ae 86497->86498 86528 434fa9 GetTempPathW GetTempFileNameW 86498->86528 86500 4529be 86501 414e06 138 API calls 86500->86501 86515 4529d0 86501->86515 86502 4529db 86502->86453 86503 452aa3 86504 414e94 __fcloseall 106 API calls 86503->86504 86505 452aad 86504->86505 86506 452ad6 86505->86506 86507 452aba DeleteFileW 86505->86507 86508 452b6d CopyFileW 86506->86508 86514 452ae1 _wcscpy 86506->86514 86507->86453 86510 452b84 DeleteFileW 86508->86510 86511 452ba0 DeleteFileW 86508->86511 86509 4151b0 __fread_nolock 81 API calls 86509->86515 86510->86453 86529 434f66 CreateFileW 86511->86529 86517 44b195 139 API calls 86514->86517 86515->86502 86515->86503 86515->86509 86516 4146ce 103 API calls 86515->86516 86516->86515 86518 452b4d 86517->86518 86518->86511 86519 452b51 DeleteFileW 86518->86519 86519->86453 86520->86409 86521->86434 86522->86442 86524 436afa FindFirstFileW 86523->86524 86525 436b1d 86523->86525 86526 436b12 FindClose 86524->86526 86527 436b0b 86524->86527 86525->86466 86526->86525 86527->86466 86528->86500 86530 434fa5 86529->86530 86531 434f8b SetFileTime CloseHandle 86529->86531 86530->86453 86531->86530 86532 4cabb0 86533 4cabc0 VirtualProtect 86532->86533 86535 4cad4d 86533->86535

                                  Executed Functions

                                  Function 0040D6D0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 141windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5
                                    • Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\4LbgdNQgna.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
                                    • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
                                    • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
                                    • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
                                    • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
                                    • Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF
                                  • IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
                                  • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\4LbgdNQgna.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763
                                    • Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483
                                  • SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\4LbgdNQgna.exe,00000004), ref: 0040D7D6
                                  • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
                                  • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\4LbgdNQgna.exe,00000004), ref: 00431B0E
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\4LbgdNQgna.exe,00000004), ref: 00431B3F
                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
                                  • ShellExecuteW.SHELL32(00000000), ref: 00431B92
                                    • Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                    • Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                    • Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
                                    • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
                                    • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
                                    • Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                    • Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6
                                    • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                    • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                    • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
                                    • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E
                                    • Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
                                    • Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
                                  • String ID: C:\Users\user\Desktop\4LbgdNQgna.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                  • API String ID: 2493088469-3717694245
                                  • Opcode ID: ba2e87c3f8820592b330de56266d8528cb530a4dab1fa245838381ec475db17a
                                  • Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
                                  • Opcode Fuzzy Hash: ba2e87c3f8820592b330de56266d8528cb530a4dab1fa245838381ec475db17a
                                  • Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E
                                  Function 0040E470 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 319 40e470-40e500 call 40c060 GetVersionExW call 4021e0 call 40e600 call 40e620 328 40e506-40e509 319->328 329 42accc-42acd1 319->329 332 40e540-40e555 call 40ee70 328->332 333 40e50b-40e51c 328->333 330 42acd3-42acdb 329->330 331 42acdd-42ace0 329->331 334 42ad12-42ad20 330->334 335 42ace2-42aceb 331->335 336 42aced-42acf0 331->336 350 40e557-40e573 GetCurrentProcess call 40ee30 332->350 351 40e579-40e5a8 332->351 337 40e522-40e525 333->337 338 42ac9b-42aca7 333->338 349 42ad28-42ad2d GetSystemInfo 334->349 335->334 336->334 340 42acf2-42ad06 336->340 337->332 341 40e527-40e537 337->341 343 42acb2-42acba 338->343 344 42aca9-42acad 338->344 345 42ad08-42ad0c 340->345 346 42ad0e 340->346 347 42acbf-42acc7 341->347 348 40e53d 341->348 343->332 344->332 345->334 346->334 347->332 348->332 352 42ad38-42ad3d GetSystemInfo 349->352 350->351 360 40e575 350->360 351->352 353 40e5ae-40e5c3 call 40eee0 351->353 353->349 359 40e5c9-40e5db call 40eea0 GetNativeSystemInfo 353->359 363 40e5e0-40e5ef 359->363 364 40e5dd-40e5de FreeLibrary 359->364 360->351 365 40e5f1-40e5f2 FreeLibrary 363->365 366 40e5f4-40e5ff 363->366 364->363 365->366
                                  APIs
                                  • GetVersionExW.KERNEL32 ref: 0040E495
                                    • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                  • GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
                                  • GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
                                  • FreeLibrary.KERNEL32(?), ref: 0040E5DE
                                  • FreeLibrary.KERNEL32(?), ref: 0040E5F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
                                  • String ID: Wu
                                  • API String ID: 2923339712-4083010176
                                  • Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                  • Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
                                  • Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                  • Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB
                                  Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: IsThemeActive$uxtheme.dll
                                  • API String ID: 2574300362-3542929980
                                  • Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                  • Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
                                  • Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                  • Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28
                                  Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(00000001,00000000), ref: 00436AEF
                                  • FindFirstFileW.KERNELBASE(00000001,?), ref: 00436B00
                                  • FindClose.KERNEL32(00000000), ref: 00436B13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: FileFind$AttributesCloseFirst
                                  • String ID:
                                  • API String ID: 48322524-0
                                  • Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                  • Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
                                  • Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                  • Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA
                                  Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA
                                  • _fseek.LIBCMT ref: 004527FC
                                  • __wsplitpath.LIBCMT ref: 0045285C
                                  • _wcscpy.LIBCMT ref: 00452871
                                  • _wcscat.LIBCMT ref: 00452886
                                  • __wsplitpath.LIBCMT ref: 004528B0
                                  • _wcscat.LIBCMT ref: 004528C8
                                  • _wcscat.LIBCMT ref: 004528DD
                                  • __fread_nolock.LIBCMT ref: 00452914
                                  • __fread_nolock.LIBCMT ref: 00452925
                                  • __fread_nolock.LIBCMT ref: 00452944
                                  • __fread_nolock.LIBCMT ref: 00452955
                                  • __fread_nolock.LIBCMT ref: 00452976
                                  • __fread_nolock.LIBCMT ref: 00452987
                                  • __fread_nolock.LIBCMT ref: 00452998
                                  • __fread_nolock.LIBCMT ref: 004529A9
                                    • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                    • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                    • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                    • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                    • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                    • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                    • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                  • __fread_nolock.LIBCMT ref: 00452A39
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                  • String ID:
                                  • API String ID: 2054058615-0
                                  • Opcode ID: e9a8ad9afceccdd855c76b26f53b384cec18aee37fa35889a1ad92b785899f1c
                                  • Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
                                  • Opcode Fuzzy Hash: e9a8ad9afceccdd855c76b26f53b384cec18aee37fa35889a1ad92b785899f1c
                                  • Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6
                                  Function 00410B90 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 167registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
                                  • __wsplitpath.LIBCMT ref: 00410C61
                                    • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                  • _wcsncat.LIBCMT ref: 00410C78
                                  • __wmakepath.LIBCMT ref: 00410C94
                                    • Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52
                                    • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                    • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                    • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                  • _wcscpy.LIBCMT ref: 00410CCC
                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
                                  • RegQueryValueExW.ADVAPI32 ref: 00429BE4
                                  • _wcscat.LIBCMT ref: 00429C43
                                  • _wcslen.LIBCMT ref: 00429C55
                                  • _wcslen.LIBCMT ref: 00429C66
                                  • _wcscat.LIBCMT ref: 00429C80
                                  • _wcsncpy.LIBCMT ref: 00429CC0
                                  • RegCloseKey.ADVAPI32(?), ref: 00429CDE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                  • String ID: 3PD$Include$Software\AutoIt v3\AutoIt$\
                                  • API String ID: 1004883554-2608569402
                                  • Opcode ID: d7f6643cad26fd3001d91627fc5ef1af4f656d40d4c5ca14c02d7ab544e78cf5
                                  • Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
                                  • Opcode Fuzzy Hash: d7f6643cad26fd3001d91627fc5ef1af4f656d40d4c5ca14c02d7ab544e78cf5
                                  • Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A
                                  Function 0046CAAA Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 229COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: >>>AUTOIT SCRIPT<<<$\
                                  • API String ID: 0-1896584978
                                  • Opcode ID: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                  • Instruction ID: e6fbcda15cb9520e0e34bfac0f9750edaedb1b44b840e2dcfb1a2c219c195b9a
                                  • Opcode Fuzzy Hash: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                  • Instruction Fuzzy Hash: 907186B2504300ABC720EB65C885FEBB3E8AF94714F148D1FF58997142E679E648C75A
                                  Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __fread_nolock$_fseek_wcscpy
                                  • String ID: FILE
                                  • API String ID: 3888824918-3121273764
                                  • Opcode ID: 27879241cf042f7623a28fb7f301d7e9307b8442a678b9f38b715ef863850f69
                                  • Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
                                  • Opcode Fuzzy Hash: 27879241cf042f7623a28fb7f301d7e9307b8442a678b9f38b715ef863850f69
                                  • Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA
                                  Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                  • LoadIconW.USER32(?,00000063), ref: 0041021F
                                  • LoadIconW.USER32(?,000000A4), ref: 00410232
                                  • LoadIconW.USER32(?,000000A2), ref: 00410245
                                  • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                  • RegisterClassExW.USER32 ref: 004102C6
                                    • Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
                                    • Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
                                    • Part of subcall function 004102F0: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0041036A
                                    • Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                  • String ID: #$0$AutoIt v3
                                  • API String ID: 2880975755-4155596026
                                  • Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                  • Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
                                  • Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                  • Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99
                                  Function 004102F0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32 ref: 00410326
                                  • RegisterClassExW.USER32 ref: 00410359
                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0041036A
                                  • LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                  • API String ID: 975902462-1005189915
                                  • Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                  • Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
                                  • Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                  • Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A
                                  Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • _fseek.LIBCMT ref: 004525DA
                                    • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                    • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                    • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                    • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                    • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                    • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                    • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                  • __fread_nolock.LIBCMT ref: 00452618
                                  • __fread_nolock.LIBCMT ref: 00452629
                                  • __fread_nolock.LIBCMT ref: 00452644
                                  • __fread_nolock.LIBCMT ref: 00452661
                                  • _fseek.LIBCMT ref: 0045267D
                                  • _malloc.LIBCMT ref: 00452689
                                  • _malloc.LIBCMT ref: 00452696
                                  • __fread_nolock.LIBCMT ref: 004526A7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __fread_nolock$_fseek_malloc_wcscpy
                                  • String ID:
                                  • API String ID: 1911931848-0
                                  • Opcode ID: 1920e559b82275bd50d0720b8b14ec487b8027b6946298e2350bf3ceff34fb1a
                                  • Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
                                  • Opcode Fuzzy Hash: 1920e559b82275bd50d0720b8b14ec487b8027b6946298e2350bf3ceff34fb1a
                                  • Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A
                                  Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 413 40f450-40f45c call 425210 416 40f460-40f478 413->416 416->416 417 40f47a-40f4a8 call 413990 call 410f70 416->417 422 40f4b0-40f4d1 call 4151b0 417->422 425 40f531 422->425 426 40f4d3-40f4da 422->426 429 40f536-40f540 425->429 427 40f4dc-40f4de 426->427 428 40f4fd-40f517 call 41557c 426->428 430 40f4e0-40f4e2 427->430 433 40f51c-40f51f 428->433 432 40f4e6-40f4ed 430->432 434 40f521-40f52c 432->434 435 40f4ef-40f4f2 432->435 433->422 438 40f543-40f54e 434->438 439 40f52e-40f52f 434->439 436 42937a-4293a0 call 41557c call 4151b0 435->436 437 40f4f8-40f4fb 435->437 450 4293a5-4293c3 call 4151d0 436->450 437->428 437->430 441 40f550-40f553 438->441 442 40f555-40f560 438->442 439->435 441->435 443 429372 442->443 444 40f566-40f571 442->444 443->436 446 429361-429367 444->446 447 40f577-40f57a 444->447 446->432 449 42936d 446->449 447->435 449->443 450->429
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __fread_nolock_fseek_strcat
                                  • String ID: AU3!$EA06
                                  • API String ID: 3818483258-2658333250
                                  • Opcode ID: 14ffa74d6b02b3f38e14930b4c42b0116caf55d52fc31b55e15928253560e224
                                  • Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
                                  • Opcode Fuzzy Hash: 14ffa74d6b02b3f38e14930b4c42b0116caf55d52fc31b55e15928253560e224
                                  • Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B
                                  Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 453 410130-410142 SHGetMalloc 454 410148-410158 SHGetDesktopFolder 453->454 455 42944f-429459 call 411691 453->455 456 4101d1-4101e0 454->456 457 41015a-410188 call 411691 454->457 456->455 463 4101e6-4101ee 456->463 465 4101c5-4101ce 457->465 466 41018a-4101a1 SHGetPathFromIDListW 457->466 465->456 467 4101a3-4101b1 call 411691 466->467 468 4101b4-4101c0 466->468 467->468 468->465
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcscpy$DesktopFolderFromListMallocPath
                                  • String ID: C:\Users\user\Desktop\4LbgdNQgna.exe
                                  • API String ID: 192938534-2333296058
                                  • Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                  • Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
                                  • Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                  • Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6
                                  Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 471 414f10-414f2c 472 414f4f 471->472 473 414f2e-414f31 471->473 475 414f51-414f55 472->475 473->472 474 414f33-414f35 473->474 476 414f37-414f46 call 417f23 474->476 477 414f56-414f5b 474->477 488 414f47-414f4c call 417ebb 476->488 479 414f6a-414f6d 477->479 480 414f5d-414f68 477->480 483 414f7a-414f7c 479->483 484 414f6f-414f77 call 4131f0 479->484 480->479 482 414f8b-414f9e 480->482 486 414fa0-414fa6 482->486 487 414fa8 482->487 483->476 485 414f7e-414f89 483->485 484->483 485->476 485->482 490 414faf-414fb1 486->490 487->490 488->472 493 4150a1-4150a4 490->493 494 414fb7-414fbe 490->494 493->475 496 414fc0-414fc5 494->496 497 415004-415007 494->497 496->497 500 414fc7 496->500 498 415071-415072 call 41e6b1 497->498 499 415009-41500d 497->499 506 415077-41507b 498->506 502 41500f-415018 499->502 503 41502e-415035 499->503 504 415102 500->504 505 414fcd-414fd1 500->505 507 415023-415028 502->507 508 41501a-415021 502->508 510 415037 503->510 511 415039-41503c 503->511 509 415106-41510f 504->509 512 414fd3 505->512 513 414fd5-414fd8 505->513 506->509 514 415081-415085 506->514 515 41502a-41502c 507->515 508->515 509->475 510->511 516 415042-41504e call 41453a call 41ed9e 511->516 517 4150d5-4150d9 511->517 512->513 518 4150a9-4150af 513->518 519 414fde-414fff call 41ee9b 513->519 514->517 520 415087-415096 514->520 515->511 539 415053-415058 516->539 525 4150eb-4150fd call 417f23 517->525 526 4150db-4150e8 call 4131f0 517->526 521 4150b1-4150bd call 4131f0 518->521 522 4150c0-4150d0 call 417f23 518->522 528 415099-41509b 519->528 520->528 521->522 522->488 525->488 526->525 528->493 528->494 540 415114-415118 539->540 541 41505e-415061 539->541 540->509 541->504 542 415067-41506f 541->542 542->528
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                  • String ID:
                                  • API String ID: 3886058894-0
                                  • Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                  • Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
                                  • Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                  • Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99
                                  Function 01840920 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 543 1840920-1840972 call 1840820 CreateFileW 546 1840974-1840976 543->546 547 184097b-1840988 543->547 548 1840ad4-1840ad8 546->548 550 184098a-1840996 547->550 551 184099b-18409b2 VirtualAlloc 547->551 550->548 552 18409b4-18409b6 551->552 553 18409bb-18409e1 CreateFileW 551->553 552->548 555 1840a05-1840a1f ReadFile 553->555 556 18409e3-1840a00 553->556 557 1840a21-1840a3e 555->557 558 1840a43-1840a47 555->558 556->548 557->548 559 1840a68-1840a7f WriteFile 558->559 560 1840a49-1840a66 558->560 562 1840a81-1840aa8 559->562 563 1840aaa-1840acf CloseHandle VirtualFree 559->563 560->548 562->548 563->548
                                  APIs
                                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01840965
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427943958.0000000001840000.00000040.00001000.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1840000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                  • Instruction ID: 61b4e07551f6cbffd2bbd02d37f7758b3d993a5658a247a3bad80096d7b09ef9
                                  • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                  • Instruction Fuzzy Hash: 0D51E575A5020CFBEB20DFA4CC49FEF77B9AF48705F108654F64AEA1C0DA7496458B60
                                  Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0
                                    • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                  • _memset.LIBCMT ref: 00401C62
                                  • _wcsncpy.LIBCMT ref: 00401CA1
                                  • _wcscpy.LIBCMT ref: 00401CBD
                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
                                  • String ID: Line:
                                  • API String ID: 1620655955-1585850449
                                  • Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                  • Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
                                  • Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                  • Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B
                                  Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 606 4103e0-410461 CreateWindowExW * 2 ShowWindow * 2
                                  APIs
                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                  • ShowWindow.USER32(?,00000000), ref: 00410454
                                  • ShowWindow.USER32(?,00000000), ref: 0041045E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$CreateShow
                                  • String ID: AutoIt v3$edit
                                  • API String ID: 1584632944-3779509399
                                  • Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                  • Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
                                  • Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                  • Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C
                                  Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __lock.LIBCMT ref: 00413AA6
                                    • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
                                    • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
                                    • Part of subcall function 00418407: RtlEnterCriticalSection.NTDLL(?), ref: 00418431
                                  • ___sbh_find_block.LIBCMT ref: 00413AB1
                                  • ___sbh_free_block.LIBCMT ref: 00413AC0
                                  • RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                  • GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                  • String ID:
                                  • API String ID: 2714421763-0
                                  • Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                  • Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
                                  • Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                  • Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C
                                  Function 004734B7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 234COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Wu
                                  • API String ID: 0-4083010176
                                  • Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                  • Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
                                  • Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                  • Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96
                                  Function 018423F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 163fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 018422E0: Sleep.KERNELBASE(000001F4), ref: 018422F1
                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01842547
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427943958.0000000001840000.00000040.00001000.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1840000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CreateFileSleep
                                  • String ID: 8PVO10VSPB37V3LLQP1XWAH7N
                                  • API String ID: 2694422964-3853324649
                                  • Opcode ID: a3f48e53323a1f379d9b91e39bdb6f8176d50836a95ad3f11a04ab568c31897d
                                  • Instruction ID: 0072859ed6da0e5aee1b0fa9bd668b724b831b1c2c5e29c1b43ea02f92397edb
                                  • Opcode Fuzzy Hash: a3f48e53323a1f379d9b91e39bdb6f8176d50836a95ad3f11a04ab568c31897d
                                  • Instruction Fuzzy Hash: BD619630D0824CDBEF11D7B8D858BEEBB75AF19304F044198E149BB2C1DAB91B45CBA6
                                  Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                  Download Yara Rule
                                  APIs
                                  • __flush.LIBCMT ref: 00414630
                                  • __fileno.LIBCMT ref: 00414650
                                  • __locking.LIBCMT ref: 00414657
                                  • __flsbuf.LIBCMT ref: 00414682
                                    • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                    • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                  • String ID:
                                  • API String ID: 3240763771-0
                                  • Opcode ID: 43e807c709cc5257463e6f25a51bf94e9ef82086518aa8f58ee9919ed320599b
                                  • Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
                                  • Opcode Fuzzy Hash: 43e807c709cc5257463e6f25a51bf94e9ef82086518aa8f58ee9919ed320599b
                                  • Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48
                                  Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0040E202
                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell__memset
                                  • String ID:
                                  • API String ID: 928536360-0
                                  • Opcode ID: 27b28fb85d639681eb8fd2a3c2bcd9dc0bb82ef5f5c365fc5a47124cd6911170
                                  • Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
                                  • Opcode Fuzzy Hash: 27b28fb85d639681eb8fd2a3c2bcd9dc0bb82ef5f5c365fc5a47124cd6911170
                                  • Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A
                                  Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • _malloc.LIBCMT ref: 00411734
                                    • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                    • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                    • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A), ref: 00413931
                                  • std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                    • Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC
                                  • std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                  • __CxxThrowException@8.LIBCMT ref: 00411779
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                  • String ID:
                                  • API String ID: 1411284514-0
                                  • Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                  • Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
                                  • Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                  • Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C
                                  Function 01841000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 01841045
                                  • ExitProcess.KERNEL32(00000000), ref: 01841064
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427943958.0000000001840000.00000040.00001000.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1840000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Process$CreateExit
                                  • String ID: D
                                  • API String ID: 126409537-2746444292
                                  • Opcode ID: 4638e4dcbcb64820f1c19d6545d26c0fb6ea82a3cd30bab000e26f1f9ebc6855
                                  • Instruction ID: bb6543d888df01cf9de29bd7e04f8aded5bcc19d3cff762b8c68c95feebad175
                                  • Opcode Fuzzy Hash: 4638e4dcbcb64820f1c19d6545d26c0fb6ea82a3cd30bab000e26f1f9ebc6855
                                  • Instruction Fuzzy Hash: B2F0EC7164424CABDB60DFE4CC49FEE777CBF04701F408509FA0ADA180DE7896488B61
                                  Function 00434FA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00434FB8
                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00434FD2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Temp$FileNamePath
                                  • String ID: aut
                                  • API String ID: 3285503233-3010740371
                                  • Opcode ID: 82f31d04e16af5f01be6cdfc0d9504ab1fb0bcbc6d64d3389bdd0f197d66684f
                                  • Instruction ID: 3313f3dae54ffcfdd9147ab58f8a32ee61f020fa86886c131b3703d02f5643f1
                                  • Opcode Fuzzy Hash: 82f31d04e16af5f01be6cdfc0d9504ab1fb0bcbc6d64d3389bdd0f197d66684f
                                  • Instruction Fuzzy Hash: 92D05EB41443006FE220EB44DC8EF7E7368AB84700F108D2DBE70810D0E2F45114C76A
                                  Function 0040F5E0 Relevance: 4.6, APIs: 3, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
                                    • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
                                    • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC
                                  • _strcat.LIBCMT ref: 0040F603
                                    • Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8
                                    • Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
                                  • String ID:
                                  • API String ID: 1194219731-0
                                  • Opcode ID: d43058e70474192ed0b7edd27320cfc594714a653f8613489d82c9b24f7f0d3f
                                  • Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
                                  • Opcode Fuzzy Hash: d43058e70474192ed0b7edd27320cfc594714a653f8613489d82c9b24f7f0d3f
                                  • Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A
                                  Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
                                  • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
                                  • RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                  • Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
                                  • Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                  • Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26
                                  Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • _malloc.LIBCMT ref: 00435278
                                    • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                    • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                    • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A), ref: 00413931
                                  • _malloc.LIBCMT ref: 00435288
                                  • _malloc.LIBCMT ref: 00435298
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _malloc$AllocateHeap
                                  • String ID:
                                  • API String ID: 680241177-0
                                  • Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                  • Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
                                  • Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                  • Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC
                                  Function 00434F66 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,00452BC1,?,?,?), ref: 00434F7E
                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?), ref: 00434F98
                                  • CloseHandle.KERNEL32(00000000), ref: 00434F9F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: File$CloseCreateHandleTime
                                  • String ID:
                                  • API String ID: 3397143404-0
                                  • Opcode ID: 8160c471e296e30317256c6c88eb7e1bc07dc4386827ceea14d4f756b3bee6b9
                                  • Instruction ID: 225011b16fe4d6af9175c1a66afc187e3dae5687c313c29167a0b6f0749d34c1
                                  • Opcode Fuzzy Hash: 8160c471e296e30317256c6c88eb7e1bc07dc4386827ceea14d4f756b3bee6b9
                                  • Instruction Fuzzy Hash: D4E04F75240320BBE1209B249C4DF9F7768AB89B20F208A18F755661D0C7B46C418769
                                  Function 004CABB0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004CAD36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID: ATEUPDOWN
                                  • API String ID: 544645111-2277593108
                                  • Opcode ID: cb12c921807c3d1ac88b7f1da887c4e0d2e4c8f1a0f0432146b498620f62bf48
                                  • Instruction ID: 30e8ab143a99a7de311692965bab1cfd0edaa6200af1bf9b5c5d7f34f9f871b7
                                  • Opcode Fuzzy Hash: cb12c921807c3d1ac88b7f1da887c4e0d2e4c8f1a0f0432146b498620f62bf48
                                  • Instruction Fuzzy Hash: F5512BB9A4435A4BC7605AB88DC4FB17795EB0132C728073EC6E2C73C5E79C5C16875A
                                  Function 004352D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID: EA06
                                  • API String ID: 2638373210-3962188686
                                  • Opcode ID: b0f12358a10ccc91713b8803d842eac78f0c835c00215d7294352439040602c7
                                  • Instruction ID: 23e6cbce50a632bd9308966c758204bfda8dfebcaf80c67569f9fe191929c306
                                  • Opcode Fuzzy Hash: b0f12358a10ccc91713b8803d842eac78f0c835c00215d7294352439040602c7
                                  • Instruction Fuzzy Hash: 30012231408750ABC719DA189852A6BBBE0AFD5305F04C91EF0EA82281E278E10CCB66
                                  Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __lock_file_memset
                                  • String ID:
                                  • API String ID: 26237723-0
                                  • Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                  • Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
                                  • Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                  • Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99
                                  Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                    • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                  • __lock_file.LIBCMT ref: 00414EE4
                                    • Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A
                                  • __fclose_nolock.LIBCMT ref: 00414EEE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
                                  • String ID:
                                  • API String ID: 717694121-0
                                  • Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                  • Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
                                  • Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                  • Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D
                                  Function 01841070 Relevance: 1.7, APIs: 1, Instructions: 173COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 018408E0: GetFileAttributesW.KERNELBASE(?), ref: 018408EB
                                  • CreateDirectoryW.KERNELBASE(?,00000000), ref: 018411E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427943958.0000000001840000.00000040.00001000.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1840000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AttributesCreateDirectoryFile
                                  • String ID:
                                  • API String ID: 3401506121-0
                                  • Opcode ID: a5922349777fb0129e3c9996247b62ece40f96c8caceb2c87d45036b1ce5aafb
                                  • Instruction ID: 9ecd23069dfa90d8617918fa1b0f254222bc58b30db109c5060969dda0cfda0d
                                  • Opcode Fuzzy Hash: a5922349777fb0129e3c9996247b62ece40f96c8caceb2c87d45036b1ce5aafb
                                  • Instruction Fuzzy Hash: 80618331A2020D97EF14EFA4D944BEF733AEF58700F005569A60DE7290EB759B44CBA6
                                  Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a12857963b59ba27d86be744ec8e6ce9272b51880a9e98fb69d1fc4369ccfb77
                                  • Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
                                  • Opcode Fuzzy Hash: a12857963b59ba27d86be744ec8e6ce9272b51880a9e98fb69d1fc4369ccfb77
                                  • Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E
                                  Function 004146CE Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  • __lock_file.LIBCMT ref: 00414715
                                    • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                    • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __decode_pointer__getptd_noexit__lock_file
                                  • String ID:
                                  • API String ID: 3158947991-0
                                  • Opcode ID: 085163d9d6c6b92529dffeffa933b442a69769718ab4c3f036a6efc1e6619a91
                                  • Instruction ID: 976453b5b1ee2f3d44d02422b4ffd36af57946720b8a5c914dc71ca3f0d289f9
                                  • Opcode Fuzzy Hash: 085163d9d6c6b92529dffeffa933b442a69769718ab4c3f036a6efc1e6619a91
                                  • Instruction Fuzzy Hash: 92F08C70901219EBCF22BFA1CC024DE3B71AF42710F00855AF42466291C73D8AA1AB99
                                  Function 00435152 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 98b207d45e3e41938bcf73f1f58807d9d7fa02aba2c89a6dd945dc5fa430a16a
                                  • Instruction ID: c8cab7b9ad1e4d68f175e3e78f8025b3f2ff01098545686a0cb71aba66e94933
                                  • Opcode Fuzzy Hash: 98b207d45e3e41938bcf73f1f58807d9d7fa02aba2c89a6dd945dc5fa430a16a
                                  • Instruction Fuzzy Hash: 4FF0C0B5604B009FDB35CA24C841BD3B7E89B89344F04481EFA9A47342D676B885C65D
                                  Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CreateHeap
                                  • String ID:
                                  • API String ID: 10892065-0
                                  • Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                  • Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
                                  • Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                  • Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08
                                  Function 018408E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?), ref: 018408EB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427943958.0000000001840000.00000040.00001000.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1840000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                  • Instruction ID: 03a44ac1769ee3dec87753f3be92026bcb72eb8ea10668dc2ab609b89f5eea76
                                  • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                  • Instruction Fuzzy Hash: 1BE08C71A1620CEBEB20CBBC8D08AEA7BA8DB44320F204654FA1AC3280E9348B409654
                                  Function 018408B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?), ref: 018408BB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427943958.0000000001840000.00000040.00001000.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1840000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                  • Instruction ID: 1e21a03dc3283d7ae7329e859340e881047c7559a6c42017c3bb2b81d3ca1670
                                  • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                  • Instruction Fuzzy Hash: 45D0A73090620CEBDB10CFB89D04ADB73A8DB04320F004754FE15D3281DA319A409790
                                  Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __wfsopen
                                  • String ID:
                                  • API String ID: 197181222-0
                                  • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                  • Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
                                  • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                  • Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589
                                  Function 00410D40 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                  • Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                  • Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5
                                  Function 018422DC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000001F4), ref: 018422F1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427943958.0000000001840000.00000040.00001000.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1840000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                  • Instruction ID: ebad4b3a61a5510d8223d552b033d3c8d86aa013594350945a121549379ed1c1
                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                  • Instruction Fuzzy Hash: DFE04F3484010DEFCB00EFE4D6496DE7BB4EF00301F1005A0FD01D3680DB309E508A62
                                  Function 018422E0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000001F4), ref: 018422F1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427943958.0000000001840000.00000040.00001000.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1840000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                  • Instruction ID: e6941dae7ec47823318875147404a98ca20b4937b16a1c469b1f91c2301c98c5
                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                  • Instruction Fuzzy Hash: BFE0E67494510DDFDB00EFF4D64969E7FB4EF04701F100561FD01D2281DA309E509A72

                                  Non-executed Functions

                                  Function 004045E0 Relevance: 575.7, Strings: 458, Instructions: 3193COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PF$PF$"DF$$JG$&F$&F$'HG$'|G$*"D$*nF$*vG$+%F$0wE$4rE$5CG$6MG$6NF$6tE$7eF$<HF$<G$ACOS$ADLIBREGISTER$ADLIBUNREGISTER$ASC$ASCW$ASIN$ASSIGN$ATAN$AUTOITSETOPTION$AUTOITWINGETTITLE$AUTOITWINSETTITLE$ApG$BEEP$BINARY$BINARYLEN$BINARYMID$BINARYTOSTRING$BITAND$BITNOT$BITOR$BITROTATE$BITSHIFT$BITXOR$BLOCKINPUT$BREAK$BnE$CALL$CDTRAY$CEILING$CHR$CHRW$CLIPGET$CLIPPUT$CONSOLEREAD$CONSOLEWRITE$CONSOLEWRITEERROR$CONTROLCLICK$CONTROLCOMMAND$CONTROLDISABLE$CONTROLENABLE$CONTROLFOCUS$CONTROLGETFOCUS$CONTROLGETHANDLE$CONTROLGETPOS$CONTROLGETTEXT$CONTROLHIDE$CONTROLLISTVIEW$CONTROLMOVE$CONTROLSEND$CONTROLSETTEXT$CONTROLSHOW$CONTROLTREEVIEW$COS$DEC$DIRCOPY$DIRCREATE$DIRGETSIZE$DIRMOVE$DIRREMOVE$DLLCALL$DLLCALLBACKFREE$DLLCALLBACKGETPTR$DLLCALLBACKREGISTER$DLLCLOSE$DLLOPEN$DLLSTRUCTCREATE$DLLSTRUCTGETDATA$DLLSTRUCTGETPTR$DLLSTRUCTGETSIZE$DLLSTRUCTSETDATA$DRIVEGETDRIVE$DRIVEGETFILESYSTEM$DRIVEGETLABEL$DRIVEGETSERIAL$DRIVEGETTYPE$DRIVEMAPADD$DRIVEMAPDEL$DRIVEMAPGET$DRIVESETLABEL$DRIVESPACEFREE$DRIVESPACETOTAL$DRIVESTATUS$DUMMYSPEEDTEST$DvE$ENVGET$ENVSET$ENVUPDATE$EVAL$EXECUTE$EXP$F)G$FILECHANGEDIR$FILECLOSE$FILECOPY$FILECREATENTFSLINK$FILECREATESHORTCUT$FILEDELETE$FILEEXISTS$FILEFINDFIRSTFILE$FILEFINDNEXTFILE$FILEFLUSH$FILEGETATTRIB$FILEGETENCODING$FILEGETLONGNAME$FILEGETPOS$FILEGETSHORTCUT$FILEGETSHORTNAME$FILEGETSIZE$FILEGETTIME$FILEGETVERSION$FILEINSTALL$FILEMOVE$FILEOPEN$FILEOPENDIALOG$FILEREAD$FILEREADLINE$FILERECYCLE$FILERECYCLEEMPTY$FILESAVEDIALOG$FILESELECTFOLDER$FILESETATTRIB$FILESETPOS$FILESETTIME$FILEWRITE$FILEWRITELINE$FLOOR$FTPSETPROXY$GSG$GUICREATE$GUICTRLCREATEAVI$GUICTRLCREATEBUTTON$GUICTRLCREATECHECKBOX$GUICTRLCREATECOMBO$GUICTRLCREATECONTEXTMENU$GUICTRLCREATEDATE$GUICTRLCREATEDUMMY$GUICTRLCREATEEDIT$GUICTRLCREATEGRAPHIC$GUICTRLCREATEGROUP$GUICTRLCREATEICON$GUICTRLCREATEINPUT$GUICTRLCREATELABEL$GUICTRLCREATELIST$GUICTRLCREATELISTVIEW$GUICTRLCREATELISTVIEWITEM$GUICTRLCREATEMENU$GUICTRLCREATEMENUITEM$GUICTRLCREATEMONTHCAL$GUICTRLCREATEOBJ$GUICTRLCREATEPIC$GUICTRLCREATEPROGRESS$GUICTRLCREATERADIO$GUICTRLCREATESLIDER$GUICTRLCREATETAB$GUICTRLCREATETABITEM$GUICTRLCREATETREEVIEW$GUICTRLCREATETREEVIEWITEM$GUICTRLCREATEUPDOWN$GUICTRLDELETE$GUICTRLGETHANDLE$GUICTRLGETSTATE$GUICTRLREAD$GUICTRLRECVMSG$GUICTRLREGISTERLISTVIEWSORT$GUICTRLSENDMSG$GUICTRLSENDTODUMMY$GUICTRLSETBKCOLOR$GUICTRLSETCOLOR$GUICTRLSETCURSOR$GUICTRLSETDATA$GUICTRLSETDEFBKCOLOR$GUICTRLSETDEFCOLOR$GUICTRLSETFONT$GUICTRLSETGRAPHIC$GUICTRLSETIMAGE$GUICTRLSETLIMIT$GUICTRLSETONEVENT$GUICTRLSETPOS$GUICTRLSETRESIZING$GUICTRLSETSTATE$GUICTRLSETSTYLE$GUICTRLSETTIP$GUIDELETE$GUIGETCURSORINFO$GUIGETMSG$GUIGETSTYLE$GUIREGISTERMSG$GUISETACCELERATORS$GUISETBKCOLOR$GUISETCOORD$GUISETCURSOR$GUISETFONT$GUISETHELP$GUISETICON$GUISETONEVENT$GUISETSTATE$GUISETSTYLE$GUISTARTGROUP$GUISWITCH$HEX$HOTKEYSET$HTTPSETPROXY$HTTPSETUSERAGENT$HWND$INETCLOSE$INETGET$INETGETINFO$INETGETSIZE$INETREAD$INIDELETE$INIREAD$INIREADSECTION$INIREADSECTIONNAMES$INIRENAMESECTION$INIWRITE$INIWRITESECTION$INPUTBOX$INT$ISADMIN$ISARRAY$ISBINARY$ISBOOL$ISDECLARED$ISDLLSTRUCT$ISFLOAT$ISHWND$ISINT$ISKEYWORD$ISNUMBER$ISOBJ$ISPTR$ISSTRING$IqE$K@G$LOG$LbF$MEMGETSTATS$MOD$MOUSECLICK$MOUSECLICKDRAG$MOUSEDOWN$MOUSEGETCURSOR$MOUSEGETPOS$MOUSEMOVE$MOUSEUP$MOUSEWHEEL$MSGBOX$MdF$MuE$NUMBER$NgF$O*F$OBJCREATE$OBJEVENT$OBJGET$OBJNAME$ONAUTOITEXITREGISTER$ONAUTOITEXITUNREGISTER$OPT$PIF$PING$PIXELCHECKSUM$PIXELGETCOLOR$PIXELSEARCH$PLUGINCLOSE$PLUGINOPEN$PROCESSCLOSE$PROCESSEXISTS$PROCESSGETSTATS$PROCESSLIST$PROCESSSETPRIORITY$PROCESSWAIT$PROCESSWAITCLOSE$PROGRESSOFF$PROGRESSON$PROGRESSSET$PTR$QbG$R+F$RANDOM$REGDELETE$REGENUMKEY$REGENUMVAL$REGREAD$REGWRITE$ROUND$RUN$RUNAS$RUNASWAIT$RUNWAIT$RnG$SEND$SENDKEEPACTIVE$SETERROR$SETEXTENDED$SHELLEXECUTE$SHELLEXECUTEWAIT$SHUTDOWN$SIN$SLEEP$SOUNDPLAY$SOUNDSETWAVEVOLUME$SPLASHIMAGEON$SPLASHOFF$SPLASHTEXTON$SQRT$SRANDOM$STATUSBARGETTEXT$STDERRREAD$STDINWRITE$STDIOCLOSE$STDOUTREAD$STRING$STRINGADDCR$STRINGCOMPARE$STRINGFORMAT$STRINGFROMASCIIARRAY$STRINGINSTR$STRINGISALNUM$STRINGISALPHA$STRINGISASCII$STRINGISDIGIT$STRINGISFLOAT$STRINGISINT$STRINGISLOWER$STRINGISSPACE$STRINGISUPPER$STRINGISXDIGIT$STRINGLEFT$STRINGLEN$STRINGLOWER$STRINGMID$STRINGREGEXP$STRINGREGEXPREPLACE$STRINGREPLACE$STRINGRIGHT$STRINGSPLIT$STRINGSTRIPCR$STRINGSTRIPWS$STRINGTOASCIIARRAY$STRINGTOBINARY$STRINGTRIMLEFT$STRINGTRIMRIGHT$STRINGUPPER$TAN$TCPACCEPT$TCPCLOSESOCKET$TCPCONNECT$TCPLISTEN$TCPNAMETOIP$TCPRECV$TCPSEND$TCPSHUTDOWN$TCPSTARTUP$TIMERDIFF$TIMERINIT$TOOLTIP$TRAYCREATEITEM$TRAYCREATEMENU$TRAYGETMSG$TRAYITEMDELETE$TRAYITEMGETHANDLE$TRAYITEMGETSTATE$TRAYITEMGETTEXT$TRAYITEMSETONEVENT$TRAYITEMSETSTATE$TRAYITEMSETTEXT$TRAYSETCLICK$TRAYSETICON$TRAYSETONEVENT$TRAYSETPAUSEICON$TRAYSETSTATE$TRAYSETTOOLTIP$TRAYTIP$UBOUND$UDPBIND$UDPCLOSESOCKET$UDPOPEN$UDPRECV$UDPSEND$UDPSHUTDOWN$UDPSTARTUP$VARGETTYPE$WINACTIVATE$WINACTIVE$WINCLOSE$WINEXISTS$WINFLASH$WINGETCARETPOS$WINGETCLASSLIST$WINGETCLIENTSIZE$WINGETHANDLE$WINGETPOS$WINGETPROCESS$WINGETSTATE$WINGETTEXT$WINGETTITLE$WINKILL$WINLIST$WINMENUSELECTITEM$WINMINIMIZEALL$WINMINIMIZEALLUNDO$WINMOVE$WINSETONTOP$WINSETSTATE$WINSETTITLE$WINSETTRANS$WINWAIT$WINWAITACTIVE$WINWAITCLOSE$WINWAITNOTACTIVE$YlE$YtG$Z9G$ZPG$^[F$^oE$_7G$_?G$b"D$fH$i}G$j)F$kQG$lE$rTG$vjE$}eE$~mE$*F$.F$3G$_G$`F$mE$pE$wG
                                  • API String ID: 0-1891124927
                                  • Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                  • Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
                                  • Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                  • Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C
                                  Function 0047C08E Relevance: 65.4, APIs: 35, Strings: 2, Instructions: 676windowkeyboardnativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
                                  • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
                                  • GetKeyState.USER32(00000011), ref: 0047C1A4
                                  • GetKeyState.USER32(00000009), ref: 0047C1AD
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
                                  • GetKeyState.USER32(00000010), ref: 0047C1CA
                                  • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
                                  • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
                                  • SendMessageW.USER32 ref: 0047C2FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$State$DialogNtdllProc_
                                  • String ID: @GUI_DRAGID$F
                                  • API String ID: 2436949396-4164748364
                                  • Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                  • Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
                                  • Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                  • Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A
                                  Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
                                  • IsIconic.USER32(?), ref: 004375E1
                                  • ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
                                  • SetForegroundWindow.USER32(?), ref: 004375FD
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
                                  • GetCurrentThreadId.KERNEL32 ref: 00437619
                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
                                  • SetForegroundWindow.USER32(?), ref: 00437645
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
                                  • keybd_event.USER32(00000012,00000000), ref: 0043765D
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
                                  • keybd_event.USER32(00000012,00000000), ref: 00437674
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
                                  • keybd_event.USER32(00000012,00000000), ref: 0043768B
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
                                  • keybd_event.USER32(00000012,00000000), ref: 004376A2
                                  • SetForegroundWindow.USER32(?), ref: 004376AD
                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 3778422247-2988720461
                                  • Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                  • Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
                                  • Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                  • Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79
                                  Function 00409A40 Relevance: 33.9, APIs: 15, Strings: 3, Instructions: 2432COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00409A61
                                    • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                    • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                    • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                    • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                  • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                  • String ID: 0vH$4RH$F
                                  • API String ID: 1143807570-2964143156
                                  • Opcode ID: 448372cbc2a04de0c58b15acec820b8f3e335fdb8b2659cade4efb497aaa83ea
                                  • Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
                                  • Opcode Fuzzy Hash: 448372cbc2a04de0c58b15acec820b8f3e335fdb8b2659cade4efb497aaa83ea
                                  • Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B
                                  Function 004461ED Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 227processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0044621B
                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
                                  • GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
                                  • SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
                                  • _wcslen.LIBCMT ref: 0044639E
                                    • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                  • _wcsncpy.LIBCMT ref: 004463C7
                                  • 74BC5590.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
                                  • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
                                  • CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
                                  • CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
                                  • SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
                                  • CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: StationWindow$CloseProcess$DesktopHandleOpen$C5590CreateDuplicateTokenUser_malloc_memset_wcslen_wcsncpy
                                  • String ID: $default$winsta0$winsta0\default
                                  • API String ID: 2888180335-1685893292
                                  • Opcode ID: 8783c105518f9fa52f5c80a6299cf7ec7b6e28c011eada52347f54b488ad9e21
                                  • Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
                                  • Opcode Fuzzy Hash: 8783c105518f9fa52f5c80a6299cf7ec7b6e28c011eada52347f54b488ad9e21
                                  • Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B
                                  Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\4LbgdNQgna.exe,?,C:\Users\user\Desktop\4LbgdNQgna.exe,004A8E80,C:\Users\user\Desktop\4LbgdNQgna.exe,0040F3D2), ref: 0040FFCA
                                    • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
                                    • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
                                    • Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93
                                    • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                  • _wcscat.LIBCMT ref: 0044BD96
                                  • _wcscat.LIBCMT ref: 0044BDBF
                                  • __wsplitpath.LIBCMT ref: 0044BDEC
                                  • FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
                                  • _wcscpy.LIBCMT ref: 0044BE73
                                  • _wcscat.LIBCMT ref: 0044BE85
                                  • _wcscat.LIBCMT ref: 0044BE97
                                  • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
                                  • DeleteFileW.KERNEL32(?), ref: 0044BED5
                                  • MoveFileW.KERNEL32(?,?), ref: 0044BEF5
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
                                  • DeleteFileW.KERNEL32(?), ref: 0044BF17
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
                                  • FindClose.KERNEL32(00000000), ref: 0044BF35
                                  • MoveFileW.KERNEL32(?,?), ref: 0044BF51
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
                                  • FindClose.KERNEL32(00000000), ref: 0044BF7E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                  • String ID: \*.*
                                  • API String ID: 2188072990-1173974218
                                  • Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                  • Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
                                  • Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                  • Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA
                                  Function 0042039F Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __invoke_watson.LIBCMT ref: 004203A4
                                    • Part of subcall function 00417D93: _memset.LIBCMT ref: 00417DBB
                                    • Part of subcall function 00417D93: IsDebuggerPresent.KERNEL32(?,?,00000314), ref: 00417E6F
                                    • Part of subcall function 00417D93: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00417E79
                                    • Part of subcall function 00417D93: UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00417E86
                                    • Part of subcall function 00417D93: GetCurrentProcess.KERNEL32(C0000417,?,?,00000314), ref: 00417EA1
                                    • Part of subcall function 00417D93: TerminateProcess.KERNEL32(00000000,?,?,00000314), ref: 00417EA8
                                  • __get_daylight.LIBCMT ref: 004203B0
                                  • __invoke_watson.LIBCMT ref: 004203BF
                                  • __get_daylight.LIBCMT ref: 004203CB
                                  • __invoke_watson.LIBCMT ref: 004203DA
                                  • ____lc_codepage_func.LIBCMT ref: 004203E2
                                  • _strlen.LIBCMT ref: 00420442
                                  • __malloc_crt.LIBCMT ref: 00420449
                                  • _strlen.LIBCMT ref: 0042045F
                                  • _strcpy_s.LIBCMT ref: 0042046D
                                  • __invoke_watson.LIBCMT ref: 00420482
                                  • GetTimeZoneInformation.KERNEL32(00496C28), ref: 004204AA
                                  • WideCharToMultiByte.KERNEL32(?,?,00496C2C,?,?,0000003F,?,?), ref: 00420528
                                  • WideCharToMultiByte.KERNEL32(?,?,00496C80,000000FF,?,0000003F,?,?,?,00496C2C,?,?,0000003F,?,?), ref: 0042055C
                                    • Part of subcall function 00413A88: __lock.LIBCMT ref: 00413AA6
                                    • Part of subcall function 00413A88: ___sbh_find_block.LIBCMT ref: 00413AB1
                                    • Part of subcall function 00413A88: ___sbh_free_block.LIBCMT ref: 00413AC0
                                    • Part of subcall function 00413A88: RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                    • Part of subcall function 00413A88: GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                  • __invoke_watson.LIBCMT ref: 004205CC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __invoke_watson$ByteCharExceptionFilterMultiProcessUnhandledWide__get_daylight_strlen$CurrentDebuggerErrorFreeHeapInformationLastPresentTerminateTimeZone____lc_codepage_func___sbh_find_block___sbh_free_block__lock__malloc_crt_memset_strcpy_s
                                  • String ID: S\
                                  • API String ID: 4084823496-393906132
                                  • Opcode ID: 9f641836eee9844fdb211255f71e21062b6006d1a88a71a8f5a1c928a585c03b
                                  • Instruction ID: b357f19af7064e56bcdb8625987f67de7edc2332d57e558cb2e7b84f91b73af7
                                  • Opcode Fuzzy Hash: 9f641836eee9844fdb211255f71e21062b6006d1a88a71a8f5a1c928a585c03b
                                  • Instruction Fuzzy Hash: 6A91D371E00125AFDB20EF65EC819AE7BE9EF55300B95003BF540A7253DA3C89828F5C
                                  Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
                                  • __swprintf.LIBCMT ref: 00434D91
                                  • _wcslen.LIBCMT ref: 00434D9B
                                  • _wcslen.LIBCMT ref: 00434DB0
                                  • _wcslen.LIBCMT ref: 00434DC5
                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
                                  • _memset.LIBCMT ref: 00434E27
                                  • _wcslen.LIBCMT ref: 00434E3C
                                  • _wcsncpy.LIBCMT ref: 00434E6F
                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
                                  • CloseHandle.KERNEL32(00000000), ref: 00434EB4
                                  • RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
                                  • CloseHandle.KERNEL32(00000000), ref: 00434ECE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                  • String ID: :$\$\??\%s
                                  • API String ID: 302090198-3457252023
                                  • Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                  • Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
                                  • Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                  • Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A
                                  Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
                                  • GetLastError.KERNEL32 ref: 004644B4
                                  • GetCurrentThread.KERNEL32 ref: 004644C8
                                  • OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004644E7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
                                  • String ID: SeDebugPrivilege
                                  • API String ID: 1312810259-2896544425
                                  • Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                  • Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
                                  • Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                  • Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA
                                  Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
                                  • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
                                  • __wsplitpath.LIBCMT ref: 004038B2
                                    • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                  • _wcscpy.LIBCMT ref: 004038C7
                                  • _wcscat.LIBCMT ref: 004038DC
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC
                                    • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                    • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                    • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                    • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                    • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
                                    • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B
                                  • _wcscpy.LIBCMT ref: 004039C2
                                  • _wcslen.LIBCMT ref: 00403A53
                                  • _wcslen.LIBCMT ref: 00403AAA
                                  Strings
                                  • _, xrefs: 00403B48
                                  • Error opening the file, xrefs: 0042B8AC
                                  • Unterminated string, xrefs: 0042B9BA
                                  • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                  • API String ID: 4115725249-188983378
                                  • Opcode ID: e410348e96554644cb024ebf95e8b2d2088fffc0e8404256067a24ee959a0054
                                  • Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
                                  • Opcode Fuzzy Hash: e410348e96554644cb024ebf95e8b2d2088fffc0e8404256067a24ee959a0054
                                  • Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB
                                  Function 00469681 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
                                  • GetFocus.USER32 ref: 004696E0
                                  • GetDlgCtrlID.USER32(00000000), ref: 004696EB
                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessagePost$CtrlFocus
                                  • String ID: 0
                                  • API String ID: 1534620443-4108050209
                                  • Opcode ID: 3dab727c688772619e9efc5d23afb6fcae73775eddc560d175f3e695e52b8611
                                  • Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
                                  • Opcode Fuzzy Hash: 3dab727c688772619e9efc5d23afb6fcae73775eddc560d175f3e695e52b8611
                                  • Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB
                                  Function 0046F2B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfilenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DragQueryPoint.SHELL32(?,?), ref: 0046F2DA
                                    • Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                    • Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
                                    • Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F
                                  • SendMessageW.USER32(?), ref: 0046F34C
                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
                                  • _wcscat.LIBCMT ref: 0046F3BC
                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
                                  • DragFinish.SHELL32(?), ref: 0046F414
                                  • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0046F4FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$Drag$Query$FileRect$ClientDialogFinishNtdllPointProc_ScreenWindow_wcscat
                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                  • API String ID: 463080802-3440237614
                                  • Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                  • Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
                                  • Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                  • Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA
                                  Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 00434C12
                                  • GetFileAttributesW.KERNEL32(?), ref: 00434C4F
                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
                                  • FindClose.KERNEL32(00000000), ref: 00434C88
                                  • FindClose.KERNEL32(00000000), ref: 00434C9C
                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
                                  • SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
                                  • FindClose.KERNEL32(00000000), ref: 00434D35
                                  • FindClose.KERNEL32(00000000), ref: 00434D43
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                  • String ID: *.*
                                  • API String ID: 1409584000-438819550
                                  • Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                  • Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
                                  • Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                  • Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9
                                  Function 00442E1F Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 134fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,75568FB0,75568FB0,?,?,00000000), ref: 00442E40
                                  • FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 00442EA4
                                  • FindClose.KERNEL32(00000000,?,00000000), ref: 00442EB5
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00442ED1
                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00442EF0
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00442F3B
                                  • SetCurrentDirectoryW.KERNEL32(0048A090,?,?,?,00000000), ref: 00442F6D
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00442F75
                                  • FindClose.KERNEL32(00000000), ref: 00442F80
                                    • Part of subcall function 00436D2D: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,75573220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                  • FindClose.KERNEL32(00000000,?,?,?,00000000), ref: 00442F92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                  • String ID: *.*
                                  • API String ID: 2640511053-438819550
                                  • Opcode ID: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                  • Instruction ID: 5fd3b3f399b1dfd6b0a62b5043663bf11a2259675d3c80dc16c90576bc2ddb84
                                  • Opcode Fuzzy Hash: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                  • Instruction Fuzzy Hash: 0F41E8326083046BD620FA64DD85BEFB3A89BC5311F54492FF95483280E7FEA50D8779
                                  Function 00444078 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 94timesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Timetime$Sleep
                                  • String ID: BUTTON
                                  • API String ID: 4176159691-3405671355
                                  • Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                  • Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
                                  • Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                  • Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C
                                  Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
                                    • Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
                                    • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B
                                    • Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5
                                  • GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
                                  • _memset.LIBCMT ref: 00445E61
                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
                                  • GetLengthSid.ADVAPI32(?), ref: 00445E92
                                  • GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
                                  • GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
                                  • GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
                                  • CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
                                  • SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
                                  • String ID:
                                  • API String ID: 3490752873-0
                                  • Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                  • Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
                                  • Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                  • Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B
                                  Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleInitialize.OLE32(00000000), ref: 0047AA03
                                  • CLSIDFromProgID.COMBASE(00000000,?), ref: 0047AA27
                                  • CoCreateInstance.COMBASE(?,00000000,00000005,004829C0,?), ref: 0047AAAA
                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
                                  • _memset.LIBCMT ref: 0047AB7C
                                  • _wcslen.LIBCMT ref: 0047AC68
                                  • _memset.LIBCMT ref: 0047ACCD
                                  • CoCreateInstanceEx.COMBASE ref: 0047AD06
                                  • CoSetProxyBlanket.COMBASE(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53
                                  Strings
                                  • NULL Pointer assignment, xrefs: 0047AD84
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
                                  • String ID: NULL Pointer assignment
                                  • API String ID: 1588287285-2785691316
                                  • Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                  • Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
                                  • Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                  • Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66
                                  Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
                                  • AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
                                  • GetLastError.KERNEL32 ref: 00436504
                                  • ExitWindowsEx.USER32(?,00000000), ref: 00436527
                                  • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
                                  • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 2938487562-3733053543
                                  • Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                  • Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
                                  • Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                  • Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D
                                  Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                  • __swprintf.LIBCMT ref: 00436162
                                  • __swprintf.LIBCMT ref: 00436176
                                    • Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F
                                  • __wcsicoll.LIBCMT ref: 00436185
                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
                                  • LoadResource.KERNEL32(?,00000000), ref: 004361AE
                                  • LockResource.KERNEL32(00000000), ref: 004361B5
                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
                                  • LoadResource.KERNEL32(?,00000000), ref: 004361E4
                                  • SizeofResource.KERNEL32(?,00000000), ref: 004361F0
                                  • LockResource.KERNEL32(?), ref: 004361FD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
                                  • String ID:
                                  • API String ID: 2406429042-0
                                  • Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                  • Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
                                  • Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                  • Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68
                                  Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D522
                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
                                  • GetLastError.KERNEL32 ref: 0045D59D
                                  • SetErrorMode.KERNEL32(?), ref: 0045D629
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Error$Mode$DiskFreeLastSpace
                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                  • API String ID: 4194297153-14809454
                                  • Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                  • Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
                                  • Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                  • Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A
                                  Function 0046F50B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 157nativewindowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
                                    • Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                    • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
                                    • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC
                                  • NtdllDialogWndProc_W.NTDLL(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
                                  • ReleaseCapture.USER32 ref: 0046F589
                                  • SetWindowTextW.USER32(?,00000000), ref: 0046F620
                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AsyncState$CaptureClientCursorDialogMessageNtdllProc_ReleaseScreenSendTextWindow
                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                  • API String ID: 1737637668-2107944366
                                  • Opcode ID: b963958ab96ed52e1c3ab3b45c628991f908dc465e455618a5f6fc8545d443fb
                                  • Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
                                  • Opcode Fuzzy Hash: b963958ab96ed52e1c3ab3b45c628991f908dc465e455618a5f6fc8545d443fb
                                  • Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA
                                  Function 0044ED9A Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 448COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: DEFINE$`$h$h
                                  • API String ID: 0-4194577831
                                  • Opcode ID: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
                                  • Instruction ID: b1cbab3e2140d6a963e4b85c5b61650905c2e88cbb7a9c7ccaf19de07e543520
                                  • Opcode Fuzzy Hash: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
                                  • Instruction Fuzzy Hash: 9802A1715083818FE725CF29C88076BBBE2BFD5304F28896EE89587342D779D849CB56
                                  Function 00440B39 Relevance: 10.8, APIs: 7, Instructions: 261COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemMetrics.USER32(0000000F), ref: 00440B7B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MetricsSystem
                                  • String ID:
                                  • API String ID: 4116985748-0
                                  • Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                  • Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
                                  • Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                  • Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A
                                  Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(00000002,00000001,00000006), ref: 004648B0
                                  • WSAGetLastError.WS2_32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
                                  • bind.WS2_32(00000000,?,00000010), ref: 004648DA
                                  • WSAGetLastError.WS2_32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
                                  • closesocket.WS2_32(00000000), ref: 0046492D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ErrorLast$bindclosesocketsocket
                                  • String ID:
                                  • API String ID: 2609815416-0
                                  • Opcode ID: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                  • Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
                                  • Opcode Fuzzy Hash: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                  • Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A
                                  Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
                                  • Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
                                  • Process32NextW.KERNEL32(00000000,?), ref: 00437075
                                  • __wsplitpath.LIBCMT ref: 004370A5
                                    • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                  • _wcscat.LIBCMT ref: 004370BA
                                  • __wcsicoll.LIBCMT ref: 004370C8
                                  • CloseHandle.KERNEL32(00000000,?), ref: 00437105
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                  • String ID:
                                  • API String ID: 2547909840-0
                                  • Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                  • Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
                                  • Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                  • Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A
                                  Function 0047AD92 Relevance: 9.3, APIs: 6, Instructions: 251comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F
                                    • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                    • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                    • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                    • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                  • OleInitialize.OLE32(00000000), ref: 0047AE06
                                    • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                    • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                  • _wcslen.LIBCMT ref: 0047AE18
                                  • CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
                                  • CLSIDFromProgID.COMBASE(00000000,?), ref: 0047AFCC
                                  • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
                                  • String ID:
                                  • API String ID: 1915432386-0
                                  • Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                  • Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
                                  • Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                  • Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A
                                  Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
                                  • Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
                                  • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
                                  • FindClose.KERNEL32(?,?,00000000), ref: 004522C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextSleep_wcslen
                                  • String ID: *.*
                                  • API String ID: 2693929171-438819550
                                  • Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                  • Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
                                  • Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                  • Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A
                                  Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • __wcsicoll.LIBCMT ref: 0043643C
                                  • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
                                  • __wcsicoll.LIBCMT ref: 00436466
                                  • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __wcsicollmouse_event
                                  • String ID: DOWN
                                  • API String ID: 1033544147-711622031
                                  • Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                  • Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
                                  • Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                  • Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD
                                  Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004647A2: inet_addr.WS2_32(?), ref: 004647C7
                                  • socket.WS2_32(00000002,00000002,00000011), ref: 00474213
                                  • WSAGetLastError.WS2_32(00000000), ref: 00474233
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ErrorLastinet_addrsocket
                                  • String ID:
                                  • API String ID: 4170576061-0
                                  • Opcode ID: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                  • Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
                                  • Opcode Fuzzy Hash: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                  • Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D
                                  Function 0044796B Relevance: 7.6, APIs: 5, Instructions: 96nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 00447997
                                  • GetCursorPos.USER32(?), ref: 004479A2
                                  • ScreenToClient.USER32(?,?), ref: 004479BE
                                  • WindowFromPoint.USER32(?,?), ref: 004479FF
                                  • NtdllDialogWndProc_W.NTDLL(?,00000020,?,?), ref: 00447A78
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Client$CursorDialogFromNtdllPointProc_RectScreenWindow
                                  • String ID:
                                  • API String ID: 4176674648-0
                                  • Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                  • Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
                                  • Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                  • Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA
                                  Function 00447870 Relevance: 7.6, APIs: 5, Instructions: 94windownativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 004478A7
                                  • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
                                  • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
                                  • GetCursorPos.USER32(?), ref: 00447935
                                  • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CursorMenuPopupTrack$DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 192203443-0
                                  • Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                  • Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
                                  • Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                  • Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779
                                  Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                  • IsWindowVisible.USER32 ref: 00477314
                                  • IsWindowEnabled.USER32 ref: 00477324
                                  • GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
                                  • IsIconic.USER32 ref: 0047733F
                                  • IsZoomed.USER32 ref: 0047734D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                  • String ID:
                                  • API String ID: 292994002-0
                                  • Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                  • Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
                                  • Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                  • Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9
                                  Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,75573220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                  • SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: File$CloseCreateHandleTime
                                  • String ID:
                                  • API String ID: 3397143404-0
                                  • Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                  • Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
                                  • Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                  • Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D
                                  Function 0044EBBC Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _strncmp
                                  • String ID: ACCEPT$^$h
                                  • API String ID: 909875538-4263704089
                                  • Opcode ID: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
                                  • Instruction ID: 72a2cba82410d8b1d90f72ff5cad5771b474d57714a55a9933f2c727144888ce
                                  • Opcode Fuzzy Hash: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
                                  • Instruction Fuzzy Hash: AE22A0746083818FE725CF29C48076BBBE2BFC9304F24896EE8D587351D779984ACB56
                                  Function 0040D7F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                  Download Yara Rule
                                  APIs
                                  • _set_new_mode.LIBCMT ref: 0040D88C
                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D8B9
                                  • FreeLibrary.KERNEL32(?), ref: 0040D8CE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: FreeInfoLibraryParametersSystem_set_new_mode
                                  • String ID: Wu
                                  • API String ID: 1188159508-4083010176
                                  • Opcode ID: 06ca62d5f0ac41005a4bed089aefec56480100fd5cca74c1e28fe2d3c932602c
                                  • Instruction ID: 2b4412acdce639bfbf0f9e0c9ecf3f694f94d165ded01d265c3c64edb54a61d9
                                  • Opcode Fuzzy Hash: 06ca62d5f0ac41005a4bed089aefec56480100fd5cca74c1e28fe2d3c932602c
                                  • Instruction Fuzzy Hash: C2215EB19183009FC700EF56D88150ABBE4FB98354F44497EF849A72A2D735A945CB9A
                                  Function 00456354 Relevance: 6.1, APIs: 4, Instructions: 127keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(004A83D8), ref: 0045636A
                                  • ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                  • GetAsyncKeyState.USER32(?), ref: 004563D0
                                  • GetAsyncKeyState.USER32(?), ref: 004563DC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AsyncState$ClientCursorScreen
                                  • String ID:
                                  • API String ID: 4210589936-0
                                  • Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                  • Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
                                  • Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                  • Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A
                                  Function 0045058D Relevance: 6.1, APIs: 4, Instructions: 98nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 004505BF
                                  • NtdllDialogWndProc_W.NTDLL(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
                                  • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
                                  • NtdllDialogWndProc_W.NTDLL(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_$Parent
                                  • String ID:
                                  • API String ID: 3146699748-0
                                  • Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                  • Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
                                  • Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                  • Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768
                                  Function 0046C5D0 Relevance: 6.1, APIs: 4, Instructions: 69clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32(?), ref: 0046C635
                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                  • GetClipboardData.USER32(0000000D), ref: 0046C64F
                                  • CloseClipboard.USER32 ref: 0046C65D
                                  • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                  • CloseClipboard.USER32 ref: 0046C692
                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                  • GetClipboardData.USER32(00000001), ref: 0046C6DD
                                  • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                  • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                  • CloseClipboard.USER32 ref: 0046C866
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                  • String ID:
                                  • API String ID: 589737431-0
                                  • Opcode ID: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                  • Instruction ID: 5556deb4c8197336e1b92b5e2a85e957832ef7964462d916cb468ff193882e13
                                  • Opcode Fuzzy Hash: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                  • Instruction Fuzzy Hash: 7301F5762042005FC300AFB9ED45B6A7BA4EF59704F04097FF980A72C1EBB1E915C7AA
                                  Function 00446566 Relevance: 5.9, Strings: 4, Instructions: 868COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ERCP$VUUU$VUUU$VUUU
                                  • API String ID: 0-2165971703
                                  • Opcode ID: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                  • Instruction ID: 514654dd073cfe12bfc68f6c44a091d7a3824994b709b832431b3f3de6bbd106
                                  • Opcode Fuzzy Hash: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                  • Instruction Fuzzy Hash: 5562D3716087818BE734CF18C8807ABB7E1EBC6314F154A2FE49986390E779D949CB5B
                                  Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Find$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 3541575487-0
                                  • Opcode ID: 14602e3ddb85434cb4a191148b4ac58dc13c9e22f939418703ff5d8e88b69fcb
                                  • Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
                                  • Opcode Fuzzy Hash: 14602e3ddb85434cb4a191148b4ac58dc13c9e22f939418703ff5d8e88b69fcb
                                  • Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95
                                  Function 0044289D Relevance: 3.1, APIs: 2, Instructions: 82networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
                                  • InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9
                                    • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                  • String ID:
                                  • API String ID: 901099227-0
                                  • Opcode ID: 0771251b70b9bd68c35fac6f7da5b5f16004994504cb59d35d549d3fc14a9ba4
                                  • Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
                                  • Opcode Fuzzy Hash: 0771251b70b9bd68c35fac6f7da5b5f16004994504cb59d35d549d3fc14a9ba4
                                  • Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A
                                  Function 00469995 Relevance: 3.1, APIs: 2, Instructions: 62nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.NTDLL(?,00000114,00000000,?,?,?,?,?,004A83D8,?), ref: 00469A31
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: dc39a28d6584410e7e9d39be8fdef0c21f65586a3d31f41dfecdd17b11510ed2
                                  • Instruction ID: 5414628f158ba78a046d4a24b655e4ccbf4c8d46c3d310d0e0a8d963d1b880b8
                                  • Opcode Fuzzy Hash: dc39a28d6584410e7e9d39be8fdef0c21f65586a3d31f41dfecdd17b11510ed2
                                  • Instruction Fuzzy Hash: B4115932700150ABE610CA59EC44E7BB79DEBCA725F14815FF68093282DBB96C05D77B
                                  Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
                                  • FindClose.KERNEL32(00000000), ref: 0045DDDD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Find$CloseFileFirst
                                  • String ID:
                                  • API String ID: 2295610775-0
                                  • Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                  • Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
                                  • Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                  • Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94
                                  Function 00447A87 Relevance: 3.1, APIs: 2, Instructions: 53nativewindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00447AE5
                                  • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,004A83D8,?), ref: 00447B09
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DialogMessageNtdllProc_Send
                                  • String ID:
                                  • API String ID: 3814093946-0
                                  • Opcode ID: 282f86207f84fb720c1c146b20eb36cb5bd987ddbd5c6a609029bff053d642d3
                                  • Instruction ID: cf0c3d739a266ecf9dfb39524e393d8b6385858120b34e0c7784725de632f42e
                                  • Opcode Fuzzy Hash: 282f86207f84fb720c1c146b20eb36cb5bd987ddbd5c6a609029bff053d642d3
                                  • Instruction Fuzzy Hash: 8F01DB323002509BD320DF48D888F6BB769EBDA725F14492EFA409B280C7B5B806C775
                                  Function 004331D9 Relevance: 3.0, APIs: 2, Instructions: 35nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ClientToScreen.USER32(?,?), ref: 00433202
                                  • NtdllDialogWndProc_W.NTDLL(?,00000200,?), ref: 0043322F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ClientDialogNtdllProc_Screen
                                  • String ID:
                                  • API String ID: 3420055661-0
                                  • Opcode ID: 8e2001f9d1191b047fdc261eecd0625cae7c1ad5e6a69bec7795623591e4d7bc
                                  • Instruction ID: 79334b24f5e752891c7b85279833e8fa03bb884f24ead4a413b07d40b8d8150b
                                  • Opcode Fuzzy Hash: 8e2001f9d1191b047fdc261eecd0625cae7c1ad5e6a69bec7795623591e4d7bc
                                  • Instruction Fuzzy Hash: 22F0F4B6504311AFE200DF05ED8492BB7E8EBC8712F148D2EF99193251C7B4A909DBB6
                                  Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: HH$F
                                  • API String ID: 0-4178212064
                                  • Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                  • Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
                                  • Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                  • Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A
                                  Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _memset
                                  • String ID:
                                  • API String ID: 2102423945-0
                                  • Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                  • Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
                                  • Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                  • Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794
                                  Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.NTDLL(?,?,?,?,004A83D8,?), ref: 0047E22C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                  • Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
                                  • Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                  • Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179
                                  Function 00454C69 Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?,004A83D8,?), ref: 00454D46
                                    • Part of subcall function 0044A37A: GetForegroundWindow.USER32(?,?,00454CBD,004A83D8,000000FC,00000000,?,?,004A83D8,?), ref: 0044A37C
                                    • Part of subcall function 0044A37A: GetFocus.USER32 ref: 0044A384
                                    • Part of subcall function 0044A37A: SendMessageW.USER32(?,000000B0,-000001B0,000001B4), ref: 0044A3F6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DialogFocusForegroundMessageNtdllProc_SendWindow
                                  • String ID:
                                  • API String ID: 3709282597-0
                                  • Opcode ID: 38e5b937cba7a8922a2e949dccea1575aba6194ef8ab83a07684414c46f4c513
                                  • Instruction ID: a6609401f9500212a734e1352de4f41152f1c619293fb73b243e796064327410
                                  • Opcode Fuzzy Hash: 38e5b937cba7a8922a2e949dccea1575aba6194ef8ab83a07684414c46f4c513
                                  • Instruction Fuzzy Hash: 4421543020831565F6205258CC06F7B2668CBD2F2AF340A2FFC10A92D7C9EC6CDC922E
                                  Function 00443390 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • __time64.LIBCMT ref: 004433A2
                                    • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                    • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Time$FileSystem__aulldiv__time64
                                  • String ID:
                                  • API String ID: 2893107130-0
                                  • Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                  • Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
                                  • Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                  • Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98
                                  Function 00443391 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • __time64.LIBCMT ref: 004433A2
                                    • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                    • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Time$FileSystem__aulldiv__time64
                                  • String ID:
                                  • API String ID: 2893107130-0
                                  • Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                  • Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
                                  • Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                  • Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88
                                  Function 00440ADF Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,004A83D8,?), ref: 00440B2E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: 0350c70204df7ca237879bf3e5fe06d0c1427b15f4b1adfefff728055112d21b
                                  • Instruction ID: 2f89758668ff77fbe337a6258bca86c2c54edd6c60dd2fee594f13a620ab578e
                                  • Opcode Fuzzy Hash: 0350c70204df7ca237879bf3e5fe06d0c1427b15f4b1adfefff728055112d21b
                                  • Instruction Fuzzy Hash: 14F0E9716002119BE210CF04D80092B7BB5EBCA725F10851EF95157291C774AC52C7F9
                                  Function 0044099C Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,00000028), ref: 004409D5
                                    • Part of subcall function 00433FA4: _memset.LIBCMT ref: 00433FAD
                                    • Part of subcall function 00433FA4: _memset.LIBCMT ref: 00433FBB
                                    • Part of subcall function 00433FA4: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004A9300,004A92EC), ref: 00433FFF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _memset$CreateDialogNtdllProc_Process
                                  • String ID:
                                  • API String ID: 2209168074-0
                                  • Opcode ID: e47f80020b222bd5a26384a14466514d1d96ec9df3e7169497835d57343bbae6
                                  • Instruction ID: c9e79bee830d5b1130f852bdf2201be18db1474156fe398ae3ca2d8ebb21299f
                                  • Opcode Fuzzy Hash: e47f80020b222bd5a26384a14466514d1d96ec9df3e7169497835d57343bbae6
                                  • Instruction Fuzzy Hash: 7DE039B5608210AFD600EF44E990C9BB3A8EFCD314F01880DF98197256C734ED51CB65
                                  Function 00454C1B Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00454C5F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: 4a9068e34db6673d47e394aa80019476632bd9475fd7ea27e6bfec8fc14f2c8f
                                  • Instruction ID: 0c4b3b86ab389f7a39b655bf95fc8aee58d6d74e14bbd2e4030a53327a1dd945
                                  • Opcode Fuzzy Hash: 4a9068e34db6673d47e394aa80019476632bd9475fd7ea27e6bfec8fc14f2c8f
                                  • Instruction Fuzzy Hash: 7EF03074248310AFE210DB54DC49F97B7A4DBC9715F20494DB859572D18AB46C44CB65
                                  Function 0044782B Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.NTDLL(?,0000031A,?,?,?), ref: 00447863
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: 18858d74dfa023294b40976d9944400fc0d5ac482db733d0de99421c67fed763
                                  • Instruction ID: 42e261f6b1c5cc74ba357aecf8ff1bc27c413e858a44b620ffcb460ef2ec5e49
                                  • Opcode Fuzzy Hash: 18858d74dfa023294b40976d9944400fc0d5ac482db733d0de99421c67fed763
                                  • Instruction Fuzzy Hash: E1E012B5915310AFD700EF64AD559AFB7E8EFD8710F008C2EF84593241D634A9048BA6
                                  Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • BlockInput.USER32(00000001), ref: 0045A272
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: BlockInput
                                  • String ID:
                                  • API String ID: 3456056419-0
                                  • Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                  • Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
                                  • Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                  • Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66
                                  Function 0043323E Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?), ref: 00433274
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: 8985a75d1e5520d2e499eec1a241bc42e0f4e5500bc870e04c8b1cc553ee22c2
                                  • Instruction ID: a483c428637070b8e8b58b13542464783085a457216f3b91bd99041a21057448
                                  • Opcode Fuzzy Hash: 8985a75d1e5520d2e499eec1a241bc42e0f4e5500bc870e04c8b1cc553ee22c2
                                  • Instruction Fuzzy Hash: C6E0EC71108230A6F2115B1D9C09FEFB798EB95711F00891AF595D50D1D7A89981C7A9
                                  Function 00447B15 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,004A83D8,?), ref: 00447B44
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: 0cfbf2acc00addbbb112fedb16ead420504d194982c0b609c4a8b51bc51d211d
                                  • Instruction ID: 287779551a3d337ef591f2aa8d6aea7dae02fb3ffa9334f78727036f59ac8bdc
                                  • Opcode Fuzzy Hash: 0cfbf2acc00addbbb112fedb16ead420504d194982c0b609c4a8b51bc51d211d
                                  • Instruction Fuzzy Hash: 1EE08C75341210FFD610EB44CC45EABB768EFCA710F20884DB6409B291CAB5B882CBA9
                                  Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: LogonUser
                                  • String ID:
                                  • API String ID: 1244722697-0
                                  • Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                  • Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
                                  • Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                  • Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32
                                  Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: NameUser
                                  • String ID:
                                  • API String ID: 2645101109-0
                                  • Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                  • Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
                                  • Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                  • Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB
                                  Function 0046F749 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046EA7F: DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
                                  • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,004A83D8,?), ref: 0046F766
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AcceleratorDestroyDialogNtdllProc_Table
                                  • String ID:
                                  • API String ID: 2638641937-0
                                  • Opcode ID: 06952883360e1e391e59db4eaed395cda2773b78a7793c669c636c8e584b7d12
                                  • Instruction ID: 06d0bebe78a134197a7dbf98cf3f66dff11b544ea33b26a74c1067ac85f7c233
                                  • Opcode Fuzzy Hash: 06952883360e1e391e59db4eaed395cda2773b78a7793c669c636c8e584b7d12
                                  • Instruction Fuzzy Hash: 6AC0127528132071D42072655C0BFCF65589F95B10F10880EB704760D145F8684046AE
                                  Function 0044096A Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.NTDLL(?,00000211), ref: 00440993
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: 41a03df81dd0099e64b80ded503388aed7d4d67559f9716f09430e6844efc855
                                  • Instruction ID: 407f05fc3492abb5fd49a85034767b6ec1f65670c295c667e1fd20220c9b2f04
                                  • Opcode Fuzzy Hash: 41a03df81dd0099e64b80ded503388aed7d4d67559f9716f09430e6844efc855
                                  • Instruction Fuzzy Hash: A4E0BD78204241AFC700DF04C8A8E5AB7A5EB89300F05885CF695873A1C7B0A810CB61
                                  Function 00440938 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDialogWndProc_W.NTDLL(?,00000212), ref: 00440961
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DialogNtdllProc_
                                  • String ID:
                                  • API String ID: 3239928679-0
                                  • Opcode ID: 9007b3aeaa96a9216af1aa891557632efc81bced1778891bc28c6ea784fb7703
                                  • Instruction ID: 61be733c19743c94c30739cd10f0c63b75a633f5031b8889380e421685ee7e99
                                  • Opcode Fuzzy Hash: 9007b3aeaa96a9216af1aa891557632efc81bced1778891bc28c6ea784fb7703
                                  • Instruction Fuzzy Hash: 75E0BD78204241AFC300DF04C9A8E5AB7A5EB89300F05885CFA95873A6C7B0A814CB21
                                  Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                  • Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
                                  • Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                  • Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619
                                  Function 00412C38 Relevance: .4, Instructions: 384COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                  • Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
                                  • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                  • Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4
                                  Function 00412818 Relevance: .4, Instructions: 378COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                  • Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
                                  • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                  • Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4
                                  Function 0041240C Relevance: .4, Instructions: 361COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                  • Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
                                  • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                  • Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4
                                  Function 00412038 Relevance: .4, Instructions: 351COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                  • Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
                                  • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                  • Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4
                                  Function 00410D10 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                  • Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
                                  • Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                  • Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229
                                  Function 00459384 Relevance: 72.2, APIs: 37, Strings: 4, Instructions: 480filewindowcomCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteObject.GDI32(?), ref: 004593D7
                                  • DeleteObject.GDI32(?), ref: 004593F1
                                  • GetDesktopWindow.USER32 ref: 0045942A
                                  • GetWindowRect.USER32(00000000), ref: 00459431
                                  • SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
                                  • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
                                  • GetClientRect.USER32(00000000,?), ref: 004595C8
                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
                                  • CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
                                  • GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
                                  • GlobalLock.KERNEL32(00000000), ref: 00459668
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
                                  • GlobalUnlock.KERNEL32(00000000), ref: 0045967F
                                  • CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00459694
                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
                                  • GlobalFree.KERNEL32(00000000), ref: 004596C0
                                  • CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
                                  • SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
                                  • ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
                                  • CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
                                  • GetStockObject.GDI32(00000011), ref: 004597B7
                                  • SelectObject.GDI32(00000000,00000000), ref: 004597BF
                                  • GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
                                  • DeleteDC.GDI32(00000000), ref: 004597E1
                                  • _wcslen.LIBCMT ref: 00459800
                                  • _wcscpy.LIBCMT ref: 0045981F
                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
                                  • 73F7A570.USER32(?,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598DE
                                  • SelectObject.GDI32(00000000,?), ref: 004598EE
                                  • SelectObject.GDI32(00000000,?), ref: 00459919
                                  • MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
                                  • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$CreateObject$Global$Rect$DeleteFileSelect$MessageSendShow$A570AdjustAllocClientCloseCopyDesktopFaceFontFreeHandleImageLoadLockMovePictureReadSizeStockStreamTextUnlock_wcscpy_wcslen
                                  • String ID: $AutoIt v3$DISPLAY$static
                                  • API String ID: 3462561085-2373415609
                                  • Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                  • Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
                                  • Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                  • Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69
                                  Function 00441E05 Relevance: 48.3, APIs: 32, Instructions: 276COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(00000012), ref: 00441E64
                                  • SetTextColor.GDI32(?,?), ref: 00441E6C
                                  • GetSysColorBrush.USER32(0000000F), ref: 00441E83
                                  • GetSysColor.USER32(0000000F), ref: 00441E8F
                                  • SetBkColor.GDI32(?,?), ref: 00441EAA
                                  • SelectObject.GDI32(?,?), ref: 00441EBA
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00441EF0
                                  • GetSysColor.USER32(00000010), ref: 00441EF8
                                  • CreateSolidBrush.GDI32(00000000), ref: 00441EFF
                                  • FrameRect.USER32(?,?,00000000), ref: 00441F10
                                  • DeleteObject.GDI32(?), ref: 00441F1B
                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00441F75
                                  • FillRect.USER32(?,?,?), ref: 00441FB6
                                    • Part of subcall function 00433D5C: GetSysColor.USER32(0000000E), ref: 00433D81
                                    • Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
                                    • Part of subcall function 00433D5C: GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                    • Part of subcall function 00433D5C: GetSysColor.USER32(0000000F), ref: 00433DCB
                                    • Part of subcall function 00433D5C: GetSysColor.USER32(00000011), ref: 00433DEB
                                    • Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                    • Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
                                    • Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
                                    • Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
                                    • Part of subcall function 00433D5C: InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                    • Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                    • Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameMessageRoundSendSolid
                                  • String ID:
                                  • API String ID: 3518701105-0
                                  • Opcode ID: 930605f3cd1c335a452d6420eef3f3c10f8d3d9e6664604232036969332d5250
                                  • Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
                                  • Opcode Fuzzy Hash: 930605f3cd1c335a452d6420eef3f3c10f8d3d9e6664604232036969332d5250
                                  • Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66
                                  Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __wcsnicmp
                                  • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                  • API String ID: 1038674560-3360698832
                                  • Opcode ID: 87a66eadcaf8420a9e8e1157d1f7c7fd58aef90dc088af7a86e197dee8fb1ec4
                                  • Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
                                  • Opcode Fuzzy Hash: 87a66eadcaf8420a9e8e1157d1f7c7fd58aef90dc088af7a86e197dee8fb1ec4
                                  • Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE
                                  Function 00433D5C Relevance: 40.7, APIs: 27, Instructions: 198windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(0000000E), ref: 00433D81
                                  • SetTextColor.GDI32(?,00000000), ref: 00433D89
                                  • GetSysColor.USER32(00000012), ref: 00433DA3
                                  • SetTextColor.GDI32(?,?), ref: 00433DAB
                                  • GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                  • GetSysColor.USER32(0000000F), ref: 00433DCB
                                  • CreateSolidBrush.GDI32(?), ref: 00433DD4
                                  • GetSysColor.USER32(00000011), ref: 00433DEB
                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                  • SelectObject.GDI32(?,00000000), ref: 00433E0D
                                  • SetBkColor.GDI32(?,?), ref: 00433E19
                                  • SelectObject.GDI32(?,?), ref: 00433E29
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                  • GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
                                  • DrawFocusRect.USER32(?,?), ref: 00433F1F
                                  • GetSysColor.USER32(00000011), ref: 00433F2E
                                  • SetTextColor.GDI32(?,00000000), ref: 00433F36
                                  • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
                                  • SelectObject.GDI32(?,?), ref: 00433F63
                                  • DeleteObject.GDI32(?), ref: 00433F70
                                  • SelectObject.GDI32(?,?), ref: 00433F78
                                  • DeleteObject.GDI32(00000000), ref: 00433F7B
                                  • SetTextColor.GDI32(?,?), ref: 00433F83
                                  • SetBkColor.GDI32(?,?), ref: 00433F8F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflate$FocusMessageRoundSendSolidWindow
                                  • String ID:
                                  • API String ID: 1441705042-0
                                  • Opcode ID: 697ef1e2b469c7a94178de5208286552364449c38c8500f3df1fcdb24db8d4eb
                                  • Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
                                  • Opcode Fuzzy Hash: 697ef1e2b469c7a94178de5208286552364449c38c8500f3df1fcdb24db8d4eb
                                  • Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A
                                  Function 00454DAA Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 203windowlibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00454DCF
                                  • _wcslen.LIBCMT ref: 00454DE2
                                  • __wcsicoll.LIBCMT ref: 00454DEF
                                  • _wcslen.LIBCMT ref: 00454E04
                                  • __wcsicoll.LIBCMT ref: 00454E11
                                  • _wcslen.LIBCMT ref: 00454E24
                                  • __wcsicoll.LIBCMT ref: 00454E31
                                    • Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657
                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
                                  • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
                                  • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
                                  • FreeLibrary.KERNEL32(00000000), ref: 00454F37
                                  • ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
                                  • DestroyCursor.USER32(?), ref: 00454FA2
                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Load$Image_wcslen$__wcsicoll$LibraryMessageSend$CursorDestroyExtractFreeIconMoveWindow__wcsicmp_l
                                  • String ID: .dll$.exe$.icl$Wu
                                  • API String ID: 921679252-3157294790
                                  • Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                  • Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
                                  • Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                  • Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A
                                  Function 0045657D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 287windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 00456692
                                  • GetDesktopWindow.USER32 ref: 004566AA
                                  • GetWindowRect.USER32(00000000), ref: 004566B1
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
                                  • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
                                  • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
                                  • SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
                                  • IsWindowVisible.USER32(?), ref: 00456812
                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
                                  • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
                                  • GetWindowRect.USER32(?,?), ref: 0045685C
                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
                                  • GetMonitorInfoW.USER32 ref: 00456894
                                  • CopyRect.USER32(?,?), ref: 004568A8
                                  • SendMessageW.USER32(?,00000412,00000000), ref: 0045690A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$Rect$Monitor$CopyCreateCursorDesktopFromInfoPointVisible
                                  • String ID: ($,$tooltips_class32
                                  • API String ID: 250492556-3320066284
                                  • Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                  • Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
                                  • Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                  • Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A
                                  Function 0046C604 Relevance: 33.2, APIs: 22, Instructions: 216clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32(?), ref: 0046C635
                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                  • GetClipboardData.USER32(0000000D), ref: 0046C64F
                                  • CloseClipboard.USER32 ref: 0046C65D
                                  • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                  • CloseClipboard.USER32 ref: 0046C692
                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                  • GetClipboardData.USER32(00000001), ref: 0046C6DD
                                  • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                  • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                  • CloseClipboard.USER32 ref: 0046C866
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                  • String ID:
                                  • API String ID: 589737431-0
                                  • Opcode ID: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                  • Instruction ID: ccec0c76267f611a980a6192e38ed766f4c6ddce8b7f15b38bc446a2cb1d96e7
                                  • Opcode Fuzzy Hash: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                  • Instruction Fuzzy Hash: 4D61E5722003019BD310EF65DD86B5E77A8EF54715F00483EFA41E72D1EBB5D9048BAA
                                  Function 004559A8 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 401COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 832d7dfe82571d46151d64c4ba74b7ae12496bc5cddea04242c0c379dd164914
                                  • Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
                                  • Opcode Fuzzy Hash: 832d7dfe82571d46151d64c4ba74b7ae12496bc5cddea04242c0c379dd164914
                                  • Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A
                                  Function 004700B0 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 285windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                  • GetWindowRect.USER32(?,?), ref: 004701EA
                                  • GetClientRect.USER32(?,?), ref: 004701FA
                                  • GetSystemMetrics.USER32(00000007), ref: 00470202
                                  • GetSystemMetrics.USER32(00000008), ref: 00470216
                                  • GetSystemMetrics.USER32(00000004), ref: 00470238
                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047026B
                                  • GetSystemMetrics.USER32(00000007), ref: 00470273
                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004702A0
                                  • GetSystemMetrics.USER32(00000008), ref: 004702A8
                                  • GetSystemMetrics.USER32(00000004), ref: 004702CF
                                  • SetRect.USER32(?,00000000,00000000,?,?), ref: 004702F1
                                  • AdjustWindowRectEx.USER32(?,?,00000000,000000FF), ref: 00470304
                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 0047033E
                                  • GetClientRect.USER32(?,?), ref: 00470371
                                  • GetStockObject.GDI32(00000011), ref: 00470391
                                  • SendMessageW.USER32(?,00000030,00000000), ref: 0047039D
                                  • SetTimer.USER32(00000000,00000000,00000028,Function_00061E7F), ref: 004703C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateMessageObjectSendStockTimer_malloc
                                  • String ID: AutoIt v3 GUI
                                  • API String ID: 3078149357-248962490
                                  • Opcode ID: 0d702e1f111dc4b461eb7f98f3a5a74387d5f37c8fb6fd827a42ca67ae032642
                                  • Instruction ID: 96ed3905d942d8c5c267f8207effb08aff50268186fc7250a269a1908d1679c9
                                  • Opcode Fuzzy Hash: 0d702e1f111dc4b461eb7f98f3a5a74387d5f37c8fb6fd827a42ca67ae032642
                                  • Instruction Fuzzy Hash: 27B19F71205301AFD324DF68DD45B6BB7E4FB88710F108A2EFA9587290DBB5E844CB5A
                                  Function 00436B3A Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcscat$A1560__wcsicoll_wcscpy_wcslen_wcsncpy
                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                  • API String ID: 2681254697-1459072770
                                  • Opcode ID: 4bf5914395717010b0ea9e2d69638f6034391d2624482ee6cf2f9dbb9f61e865
                                  • Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
                                  • Opcode Fuzzy Hash: 4bf5914395717010b0ea9e2d69638f6034391d2624482ee6cf2f9dbb9f61e865
                                  • Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE
                                  Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$__wcsnicmp
                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                  • API String ID: 790654849-1810252412
                                  • Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                  • Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
                                  • Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                  • Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F
                                  Function 00448759 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 311COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window
                                  • String ID: 0
                                  • API String ID: 2353593579-4108050209
                                  • Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                  • Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
                                  • Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                  • Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A
                                  Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: InitVariant
                                  • String ID:
                                  • API String ID: 1927566239-0
                                  • Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                  • Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
                                  • Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                  • Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA
                                  Function 0045DE12 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 190timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 0045DED4
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0045DEE4
                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0045DEF0
                                  • _wcsncpy.LIBCMT ref: 0045DF0F
                                  • __wsplitpath.LIBCMT ref: 0045DF54
                                  • _wcscat.LIBCMT ref: 0045DF6C
                                  • _wcscat.LIBCMT ref: 0045DF7E
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0045DF93
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFA7
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFE5
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFFB
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0045E00D
                                  • _wcscpy.LIBCMT ref: 0045E019
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0045E05F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory$Time$File$Local_wcscat$System__wsplitpath_wcscpy_wcsncpy
                                  • String ID: *.*
                                  • API String ID: 3201719729-438819550
                                  • Opcode ID: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                  • Instruction ID: 9ef8ac46b2ec3f8a2b66e183c5d6435db2730cdd54c1860218fefef83dfd89d7
                                  • Opcode Fuzzy Hash: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                  • Instruction Fuzzy Hash: D061A7B25043049BC724EF65C881E9FB3E8AF94704F048E1EF98987241DB79E949CB96
                                  Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$IconLoad
                                  • String ID: blank$info$question$stop$warning
                                  • API String ID: 2485277191-404129466
                                  • Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                  • Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
                                  • Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                  • Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD
                                  Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
                                  • GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
                                  • strncnt.LIBCMT ref: 00428646
                                  • strncnt.LIBCMT ref: 0042865A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: strncnt$CompareErrorLastString
                                  • String ID:
                                  • API String ID: 1776594460-0
                                  • Opcode ID: 409d39d31d49c90a4132468ed3074cd5345a98ee66abf4e21a74ff80ab18450e
                                  • Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
                                  • Opcode Fuzzy Hash: 409d39d31d49c90a4132468ed3074cd5345a98ee66abf4e21a74ff80ab18450e
                                  • Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58
                                  Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadIconW.USER32(?,00000063), ref: 004545DA
                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
                                  • SetWindowTextW.USER32(?,?), ref: 00454606
                                  • GetDlgItem.USER32(?,000003EA), ref: 0045461F
                                  • SetWindowTextW.USER32(00000000,?), ref: 00454626
                                  • GetDlgItem.USER32(?,000003E9), ref: 00454637
                                  • SetWindowTextW.USER32(00000000,?), ref: 0045463E
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
                                  • GetWindowRect.USER32(?,?), ref: 00454688
                                  • SetWindowTextW.USER32(?,?), ref: 004546FD
                                  • GetDesktopWindow.USER32 ref: 00454708
                                  • GetWindowRect.USER32(00000000), ref: 0045470F
                                  • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
                                  • GetClientRect.USER32(?,?), ref: 0045476F
                                  • PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
                                  • SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                  • String ID:
                                  • API String ID: 3869813825-0
                                  • Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                  • Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
                                  • Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                  • Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55
                                  Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
                                  • LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
                                  • LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
                                  • LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
                                  • LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
                                  • LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
                                  • GetCursorInfo.USER32 ref: 00458E03
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Cursor$Load$Info
                                  • String ID:
                                  • API String ID: 2577412497-0
                                  • Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                  • Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
                                  • Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                  • Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86
                                  Function 0046D6EB Relevance: 25.0, APIs: 5, Strings: 9, Instructions: 474COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                  • GetForegroundWindow.USER32(?,?), ref: 0046D7C1
                                  • GetForegroundWindow.USER32 ref: 0046DBA4
                                  • IsWindow.USER32(?), ref: 0046DBDE
                                  • GetDesktopWindow.USER32 ref: 0046DCB5
                                  • EnumWindows.USER32(00460772,?), ref: 0046DCC4
                                    • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$Foreground_wcslen$DesktopEnumWindows
                                  • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                  • API String ID: 922037996-1919597938
                                  • Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                  • Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
                                  • Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                  • Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A
                                  Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00468107
                                  • GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
                                  • GetMenuItemCount.USER32(?), ref: 00468227
                                  • DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
                                  • DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
                                  • DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
                                  • DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
                                  • GetMenuItemCount.USER32 ref: 004682DC
                                  • SetMenuItemInfoW.USER32 ref: 00468317
                                  • GetCursorPos.USER32(00000000), ref: 00468322
                                  • SetForegroundWindow.USER32(?), ref: 0046832D
                                  • TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
                                  • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                  • String ID: 0
                                  • API String ID: 3993528054-4108050209
                                  • Opcode ID: 96134d5ccf85dd2c353584f61e992c1258bc53944db1005dc2f45aa542165571
                                  • Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
                                  • Opcode Fuzzy Hash: 96134d5ccf85dd2c353584f61e992c1258bc53944db1005dc2f45aa542165571
                                  • Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B
                                  Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __wcsicoll
                                  • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                  • API String ID: 3832890014-4202584635
                                  • Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                  • Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
                                  • Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                  • Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE
                                  Function 0044A0EA Relevance: 24.2, APIs: 16, Instructions: 196windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32 ref: 0044A11D
                                  • GetClientRect.USER32(?,?), ref: 0044A18D
                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
                                  • GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
                                  • GetSysColor.USER32(0000000F), ref: 0044A1EC
                                  • GetSysColor.USER32(0000000F), ref: 0044A216
                                  • GetSysColor.USER32(00000005), ref: 0044A21E
                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
                                  • GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
                                  • GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
                                  • GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
                                  • SetTextColor.GDI32(00000000,?), ref: 0044A2F6
                                  • SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
                                  • GetStockObject.GDI32(00000005), ref: 0044A312
                                  • SetBkColor.GDI32(00000000,00000000), ref: 0044A328
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Color$Pixel$ClientMessageModeObjectRectSendStockText
                                  • String ID:
                                  • API String ID: 4000845554-0
                                  • Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                  • Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
                                  • Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                  • Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A
                                  Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0045F4AE
                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
                                  • SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
                                  • Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: InfoItemMenu$Sleep_memset
                                  • String ID: 0
                                  • API String ID: 1504565804-4108050209
                                  • Opcode ID: d1fae1760d081b6b8cddc0049297ea6fd0734e9abca2e90a1ac85592b3d85e38
                                  • Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
                                  • Opcode Fuzzy Hash: d1fae1760d081b6b8cddc0049297ea6fd0734e9abca2e90a1ac85592b3d85e38
                                  • Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A
                                  Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcsncpy.LIBCMT ref: 0045CCFA
                                  • __wsplitpath.LIBCMT ref: 0045CD3C
                                  • _wcscat.LIBCMT ref: 0045CD51
                                  • _wcscat.LIBCMT ref: 0045CD63
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C
                                    • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                  • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
                                  • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
                                  • _wcscpy.LIBCMT ref: 0045CE14
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                  • String ID: *.*
                                  • API String ID: 1153243558-438819550
                                  • Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                  • Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
                                  • Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                  • Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E
                                  Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
                                  • String ID:
                                  • API String ID: 1481289235-0
                                  • Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                  • Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
                                  • Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                  • Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58
                                  Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
                                  • LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
                                  • LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
                                  • LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
                                  • LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
                                  • LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00433D06
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CursorLoad
                                  • String ID:
                                  • API String ID: 3238433803-0
                                  • Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                  • Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
                                  • Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                  • Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A
                                  Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
                                  • _wcslen.LIBCMT ref: 00460B00
                                  • __swprintf.LIBCMT ref: 00460B9E
                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
                                  • GetDlgCtrlID.USER32(?), ref: 00460CE6
                                  • GetWindowRect.USER32(?,?), ref: 00460D21
                                  • GetParent.USER32(?), ref: 00460D40
                                  • ScreenToClient.USER32(00000000), ref: 00460D47
                                  • GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                  • String ID: %s%u
                                  • API String ID: 1899580136-679674701
                                  • Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                  • Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
                                  • Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                  • Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6
                                  Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON
                                  Download Yara Rule
                                  APIs
                                  • CoTaskMemFree.COMBASE(?), ref: 0047D6D3
                                    • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                  • StringFromCLSID.COMBASE(?,?), ref: 0047D6B5
                                    • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                    • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                  • StringFromIID.COMBASE(?,?), ref: 0047D7F0
                                  • CoTaskMemFree.COMBASE(?), ref: 0047D80A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: FreeFromStringTask_wcslen$_wcscpy
                                  • String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$F
                                  • API String ID: 2485709727-1559635344
                                  • Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                  • Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
                                  • Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                  • Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A
                                  Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
                                  • __swprintf.LIBCMT ref: 0045E4D9
                                  • _printf.LIBCMT ref: 0045E595
                                  • _printf.LIBCMT ref: 0045E5B7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: LoadString_printf$__swprintf_wcslen
                                  • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
                                  • API String ID: 3590180749-2894483878
                                  • Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                  • Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
                                  • Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                  • Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A
                                  Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                    • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                  • GetDriveTypeW.KERNEL32 ref: 0045DA30
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF
                                    • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: SendString$_wcslen$BuffCharDriveLowerType
                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                  • API String ID: 4013263488-4113822522
                                  • Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                  • Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
                                  • Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                  • Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A
                                  Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
                                  • String ID:
                                  • API String ID: 228034949-0
                                  • Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                  • Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
                                  • Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                  • Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA
                                  Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
                                  • GlobalLock.KERNEL32(00000000), ref: 00433523
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
                                  • GlobalUnlock.KERNEL32(00000000), ref: 0043353A
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0043354F
                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
                                  • GlobalFree.KERNEL32(00000000), ref: 0043357B
                                  • GetObjectW.GDI32(?,00000018,?), ref: 004335A6
                                  • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
                                  • DeleteObject.GDI32(?), ref: 00433603
                                  • SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                  • String ID:
                                  • API String ID: 3969911579-0
                                  • Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                  • Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
                                  • Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                  • Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA
                                  Function 0045510D Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Menu$Delete$DestroyItemObject$CountCursorDrawInfo_memset
                                  • String ID: 0
                                  • API String ID: 3043981545-4108050209
                                  • Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                  • Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
                                  • Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                  • Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9
                                  Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32 ref: 00445A8D
                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
                                  • __wcsicoll.LIBCMT ref: 00445AC4
                                  • __wcsicoll.LIBCMT ref: 00445AE0
                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$ClassMessageNameParentSend
                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                  • API String ID: 3125838495-3381328864
                                  • Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                  • Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
                                  • Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                  • Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769
                                  Function 0046F90E Relevance: 19.6, APIs: 13, Instructions: 147windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
                                  • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
                                  • DeleteObject.GDI32(?), ref: 0046F950
                                  • DestroyCursor.USER32(?), ref: 0046F95E
                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
                                  • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
                                  • DeleteObject.GDI32(?), ref: 0046F9CF
                                  • DestroyCursor.USER32(?), ref: 0046F9DD
                                  • ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
                                  • DestroyCursor.USER32(?), ref: 0046FA4F
                                  • SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
                                  • DeleteObject.GDI32(?), ref: 0046FA68
                                  • DestroyCursor.USER32(?), ref: 0046FA76
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CursorDestroy$DeleteMessageObjectSend$ImageLoad$ExtractIcon
                                  • String ID:
                                  • API String ID: 3924271234-0
                                  • Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                  • Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
                                  • Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                  • Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A
                                  Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CopyVariant$ErrorLast
                                  • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
                                  • API String ID: 2286883814-4206948668
                                  • Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                  • Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
                                  • Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                  • Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA
                                  Function 00466999 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 312COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcslen$_memset_wcscpy_wcsncpy_wcstok$__getptd
                                  • String ID: X
                                  • API String ID: 3089742834-3081909835
                                  • Opcode ID: b06cb37d3db4ad53d3a41f94d3d7a052046d00add24c9c6de48b5fd017d77e84
                                  • Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
                                  • Opcode Fuzzy Hash: b06cb37d3db4ad53d3a41f94d3d7a052046d00add24c9c6de48b5fd017d77e84
                                  • Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B
                                  Function 004556F8 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 216COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID: ,$tooltips_class32
                                  • API String ID: 716092398-3856767331
                                  • Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                  • Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
                                  • Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                  • Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59
                                  Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StringFromIID.COMBASE(?,?), ref: 004582E5
                                    • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                    • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                    • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                  • CoTaskMemFree.COMBASE(?), ref: 00458335
                                  • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
                                  • RegQueryValueExW.ADVAPI32 ref: 00458381
                                  • CLSIDFromString.COMBASE(00000000,?), ref: 004583AF
                                  • RegQueryValueExW.ADVAPI32 ref: 004583E8
                                  • LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486
                                    • Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1
                                  • RegCloseKey.ADVAPI32(?), ref: 004584BA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
                                  • String ID: Version$\TypeLib$interface\
                                  • API String ID: 656856066-939221531
                                  • Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                  • Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
                                  • Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                  • Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A
                                  Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
                                  • __swprintf.LIBCMT ref: 0045E6EE
                                  • _printf.LIBCMT ref: 0045E7A9
                                  • _printf.LIBCMT ref: 0045E7D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: LoadString_printf$__swprintf_wcslen
                                  • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                  • API String ID: 3590180749-2354261254
                                  • Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                  • Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
                                  • Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                  • Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A
                                  Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                  • _memset.LIBCMT ref: 00458194
                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
                                  • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
                                  • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
                                  • CLSIDFromString.COMBASE(00000000,?), ref: 00458279
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0045828F
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00458296
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                  • API String ID: 2255324689-22481851
                                  • Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                  • Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
                                  • Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                  • Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A
                                  Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
                                  • RegCloseKey.ADVAPI32(?), ref: 00458615
                                    • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                  • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
                                  • __wcsicoll.LIBCMT ref: 004585D6
                                  • IIDFromString.COMBASE(?,?), ref: 004585EB
                                  • RegCloseKey.ADVAPI32(?), ref: 004585F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
                                  • String ID: ($interface$interface\
                                  • API String ID: 2231185022-3327702407
                                  • Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                  • Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
                                  • Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                  • Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A
                                  Function 0046ECBF Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: InitVariant$_malloc_wcscpy_wcslen
                                  • String ID: H<D
                                  • API String ID: 3413494760-2206923036
                                  • Opcode ID: afb533e23b19910be0c027df8fa87fd227b592e7e5a0e6e969ae1a59b8da4157
                                  • Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
                                  • Opcode Fuzzy Hash: afb533e23b19910be0c027df8fa87fd227b592e7e5a0e6e969ae1a59b8da4157
                                  • Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5
                                  Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
                                  • String ID: 0.0.0.0
                                  • API String ID: 2691793716-3771769585
                                  • Opcode ID: 72edaa20f59d4c855ae2a4057bf2e912041bb0bcae33cfe0ba1e7234a9852c49
                                  • Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
                                  • Opcode Fuzzy Hash: 72edaa20f59d4c855ae2a4057bf2e912041bb0bcae33cfe0ba1e7234a9852c49
                                  • Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB
                                  Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
                                  • __crt_waiting_on_module_handle.LIBCMT ref: 00416B2F
                                    • Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
                                    • Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794
                                  • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
                                  • GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
                                  • __lock.LIBCMT ref: 00416B8A
                                  • InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
                                  • __lock.LIBCMT ref: 00416BAB
                                  • ___addlocaleref.LIBCMT ref: 00416BC9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                  • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                  • API String ID: 1028249917-2843748187
                                  • Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                  • Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
                                  • Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                  • Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D
                                  Function 0044920C Relevance: 18.2, APIs: 12, Instructions: 243windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
                                  • SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
                                  • CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
                                  • SendMessageW.USER32(?,00000402,?), ref: 0044941C
                                  • SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$CharNext
                                  • String ID:
                                  • API String ID: 1350042424-0
                                  • Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                  • Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
                                  • Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                  • Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766
                                  Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
                                  • SetKeyboardState.USER32(?), ref: 00453C5A
                                  • GetAsyncKeyState.USER32(000000A0), ref: 00453C82
                                  • GetKeyState.USER32(000000A0), ref: 00453C99
                                  • GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
                                  • GetKeyState.USER32(000000A1), ref: 00453CDA
                                  • GetAsyncKeyState.USER32(00000011), ref: 00453D07
                                  • GetKeyState.USER32(00000011), ref: 00453D15
                                  • GetAsyncKeyState.USER32(00000012), ref: 00453D3F
                                  • GetKeyState.USER32(00000012), ref: 00453D4D
                                  • GetAsyncKeyState.USER32(0000005B), ref: 00453D77
                                  • GetKeyState.USER32(0000005B), ref: 00453D85
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                  • Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
                                  • Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                  • Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B
                                  Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,00000001), ref: 00437DD7
                                  • GetWindowRect.USER32(00000000,?), ref: 00437DE9
                                  • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
                                  • GetDlgItem.USER32(?,00000002), ref: 00437E70
                                  • GetWindowRect.USER32(00000000,?), ref: 00437E82
                                  • MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
                                  • GetDlgItem.USER32(?,000003E9), ref: 00437EEA
                                  • GetWindowRect.USER32(00000000,?), ref: 00437EFC
                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
                                  • GetDlgItem.USER32(?,000003EA), ref: 00437F55
                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$ItemMoveRect$Invalidate
                                  • String ID:
                                  • API String ID: 3096461208-0
                                  • Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                  • Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
                                  • Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                  • Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95
                                  Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                  • String ID:
                                  • API String ID: 136442275-0
                                  • Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                  • Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
                                  • Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                  • Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7
                                  Function 00479C97 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 274COMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00479D1F
                                  • VariantInit.OLEAUT32(?), ref: 00479F06
                                  • VariantClear.OLEAUT32(?), ref: 00479F11
                                  • VariantInit.OLEAUT32(?), ref: 00479DF7
                                    • Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
                                    • Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
                                    • Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D
                                  • VariantClear.OLEAUT32(?), ref: 00479F9C
                                    • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                    • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                    • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                    • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Variant$Copy$ClearInit$ErrorLast_memset
                                  • String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                                  • API String ID: 665237470-1153829046
                                  • Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                  • Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
                                  • Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                  • Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766
                                  Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000400), ref: 004604B5
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
                                  • _wcslen.LIBCMT ref: 00460502
                                  • CharUpperBuffW.USER32(?,00000000), ref: 00460510
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00460589
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00460606
                                  • GetClassNameW.USER32(?,?,00000400), ref: 0046063E
                                  • GetWindowRect.USER32(?,?), ref: 004606AD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
                                  • String ID: ThumbnailClass
                                  • API String ID: 4123061591-1241985126
                                  • Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                  • Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
                                  • Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                  • Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB
                                  Function 00475D8B Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 194COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                    • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                  • GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
                                  • _wcscpy.LIBCMT ref: 00475F18
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                  • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                  • API String ID: 3052893215-3593318738
                                  • Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                  • Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
                                  • Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                  • Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B
                                  Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
                                  • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
                                  • _memcmp.LIBCMT ref: 004394A9
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8
                                  Strings
                                  • SeIncreaseQuotaPrivilege, xrefs: 0043946A
                                  • SeAssignPrimaryTokenPrivilege, xrefs: 00439455
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
                                  • String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
                                  • API String ID: 1446985595-805462909
                                  • Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                  • Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
                                  • Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                  • Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA
                                  Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
                                  • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
                                  • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
                                  • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
                                  • SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
                                  • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
                                  • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
                                  • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
                                  • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A
                                    • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                    • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                    • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                  • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
                                  • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4
                                    • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                  • String ID:
                                  • API String ID: 1932665248-0
                                  • Opcode ID: 16f99e80be173eecdd1bb573f6b7f825babaa5351af7cc3efc94bb11c862a2f8
                                  • Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
                                  • Opcode Fuzzy Hash: 16f99e80be173eecdd1bb573f6b7f825babaa5351af7cc3efc94bb11c862a2f8
                                  • Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B
                                  Function 0045DB3E Relevance: 16.7, APIs: 11, Instructions: 181COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
                                  • String ID:
                                  • API String ID: 3381189665-0
                                  • Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                  • Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
                                  • Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                  • Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A
                                  Function 0046FB53 Relevance: 16.7, APIs: 11, Instructions: 176windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
                                  • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
                                  • SendMessageW.USER32 ref: 0046FBAF
                                  • SendMessageW.USER32 ref: 0046FBE2
                                  • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
                                  • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
                                  • SendMessageW.USER32 ref: 0046FD00
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$ExtractIcon
                                  • String ID:
                                  • API String ID: 2741346921-0
                                  • Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                  • Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
                                  • Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                  • Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66
                                  Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?,?,?), ref: 00444D8A
                                  • GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
                                  • GetKeyState.USER32(000000A0), ref: 00444E26
                                  • GetAsyncKeyState.USER32(000000A1), ref: 00444E40
                                  • GetKeyState.USER32(000000A1), ref: 00444E51
                                  • GetAsyncKeyState.USER32(00000011), ref: 00444E69
                                  • GetKeyState.USER32(00000011), ref: 00444E77
                                  • GetAsyncKeyState.USER32(00000012), ref: 00444E8F
                                  • GetKeyState.USER32(00000012), ref: 00444E9D
                                  • GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
                                  • GetKeyState.USER32(0000005B), ref: 00444EC3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                  • Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
                                  • Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                  • Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA
                                  Function 0042FE54 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 298sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
                                  • Sleep.KERNEL32(0000000A), ref: 0042FE6E
                                  • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DecrementInterlocked$Sleep
                                  • String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ$F
                                  • API String ID: 2250217261-852650922
                                  • Opcode ID: 8ee3dc3b90658de1bdba7935e7c509bae4c97cbbd898303c1487c3161a53cb39
                                  • Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
                                  • Opcode Fuzzy Hash: 8ee3dc3b90658de1bdba7935e7c509bae4c97cbbd898303c1487c3161a53cb39
                                  • Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A
                                  Function 00434506 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 162windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • 73F7A570.USER32(00000000,?,?,?), ref: 00434585
                                  • SelectObject.GDI32(00000000,?), ref: 004345A9
                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
                                  • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: A570BitsObjectSelectStretch
                                  • String ID: (
                                  • API String ID: 4270841370-3887548279
                                  • Opcode ID: f1a61bd92dc1e5bf4a907c179000b9c6a14a2e3466c3eeb116f883cf8bb2fa69
                                  • Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
                                  • Opcode Fuzzy Hash: f1a61bd92dc1e5bf4a907c179000b9c6a14a2e3466c3eeb116f883cf8bb2fa69
                                  • Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66
                                  Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
                                  • _wcslen.LIBCMT ref: 00450944
                                  • _wcscat.LIBCMT ref: 00450955
                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
                                  • SendMessageW.USER32(?,00001061,?,?), ref: 0045099B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window_wcscat_wcslen
                                  • String ID: -----$SysListView32
                                  • API String ID: 4008455318-3975388722
                                  • Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                  • Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
                                  • Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                  • Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65
                                  Function 00448602 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00448625
                                  • CreateMenu.USER32 ref: 0044863C
                                  • SetMenu.USER32(?,00000000), ref: 0044864C
                                  • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
                                  • IsMenu.USER32(?), ref: 004486EB
                                  • CreatePopupMenu.USER32 ref: 004486F5
                                  • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
                                  • DrawMenuBar.USER32 ref: 00448742
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                  • String ID: 0
                                  • API String ID: 176399719-4108050209
                                  • Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                  • Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
                                  • Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                  • Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6
                                  Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
                                  • GetDlgCtrlID.USER32(00000000), ref: 00469289
                                  • GetParent.USER32 ref: 004692A4
                                  • SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
                                  • GetDlgCtrlID.USER32(00000000), ref: 004692AE
                                  • GetParent.USER32 ref: 004692C7
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$CtrlParent$_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 2040099840-1403004172
                                  • Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                  • Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
                                  • Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                  • Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9
                                  Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
                                  • GetDlgCtrlID.USER32(00000000), ref: 00469483
                                  • GetParent.USER32 ref: 0046949E
                                  • SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
                                  • GetDlgCtrlID.USER32(00000000), ref: 004694A8
                                  • GetParent.USER32 ref: 004694C1
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$CtrlParent$_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 2040099840-1403004172
                                  • Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                  • Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
                                  • Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                  • Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779
                                  Function 0045D83D Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D848
                                  • GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DriveType
                                  • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown
                                  • API String ID: 2907320926-706929342
                                  • Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                  • Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
                                  • Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                  • Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB
                                  Function 004480F2 Relevance: 15.2, APIs: 10, Instructions: 184windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
                                  • _memset.LIBCMT ref: 004481BA
                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
                                  • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
                                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
                                  • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
                                  • SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
                                  • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$_memset
                                  • String ID:
                                  • API String ID: 1515505866-0
                                  • Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                  • Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
                                  • Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                  • Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56
                                  Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 004377D7
                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
                                  • GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                  • String ID:
                                  • API String ID: 2156557900-0
                                  • Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                  • Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
                                  • Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                  • Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69
                                  Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __wcsicoll
                                  • String ID: 0%d$DOWN$OFF
                                  • API String ID: 3832890014-468733193
                                  • Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                  • Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
                                  • Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                  • Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B
                                  Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(00000000), ref: 0045E959
                                  • VariantCopy.OLEAUT32(00000000), ref: 0045E963
                                  • VariantClear.OLEAUT32 ref: 0045E970
                                  • VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
                                  • __swprintf.LIBCMT ref: 0045EB1F
                                  • VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
                                  • VariantInit.OLEAUT32(00000000), ref: 0045EBE7
                                  Strings
                                  • %4d%02d%02d%02d%02d%02d, xrefs: 0045EB19
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
                                  • String ID: %4d%02d%02d%02d%02d%02d
                                  • API String ID: 43541914-1568723262
                                  • Opcode ID: 59f20d5c687eca5b8ac21bf224ed8e62dc0999386ac77495242af5446a13f09a
                                  • Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
                                  • Opcode Fuzzy Hash: 59f20d5c687eca5b8ac21bf224ed8e62dc0999386ac77495242af5446a13f09a
                                  • Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6
                                  Function 0047D2F8 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 162COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __snwprintf__wcsicoll_wcscpy
                                  • String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY$F
                                  • API String ID: 1729044348-1290998328
                                  • Opcode ID: e5856c69d37335927e932bb259c431c810e65197c095b32473e915812f67d75c
                                  • Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
                                  • Opcode Fuzzy Hash: e5856c69d37335927e932bb259c431c810e65197c095b32473e915812f67d75c
                                  • Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA
                                  Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0045F317
                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
                                  • IsMenu.USER32(?), ref: 0045F380
                                  • CreatePopupMenu.USER32 ref: 0045F3C5
                                  • GetMenuItemCount.USER32(?), ref: 0045F42F
                                  • InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                  • String ID: 0$2
                                  • API String ID: 3311875123-3793063076
                                  • Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                  • Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
                                  • Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                  • Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67
                                  Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\4LbgdNQgna.exe), ref: 0043719E
                                  • LoadStringW.USER32(00000000), ref: 004371A7
                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
                                  • LoadStringW.USER32(00000000), ref: 004371C0
                                  • _printf.LIBCMT ref: 004371EC
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208
                                  Strings
                                  • %s (%d) : ==> %s: %s %s, xrefs: 004371E7
                                  • C:\Users\user\Desktop\4LbgdNQgna.exe, xrefs: 00437189
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: HandleLoadModuleString$Message_printf
                                  • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\4LbgdNQgna.exe
                                  • API String ID: 220974073-523550883
                                  • Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                  • Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
                                  • Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                  • Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA
                                  Function 0046B39A Relevance: 13.9, APIs: 9, Instructions: 401registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ConnectRegistry_wcslen
                                  • String ID:
                                  • API String ID: 535477410-0
                                  • Opcode ID: e91c6bd909ad74ed1928ed0244ed8aa8a8dc52ba60fb0b240039b69f8a910896
                                  • Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
                                  • Opcode Fuzzy Hash: e91c6bd909ad74ed1928ed0244ed8aa8a8dc52ba60fb0b240039b69f8a910896
                                  • Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A
                                  Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                  • Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
                                  • Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                  • Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29
                                  Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\4LbgdNQgna.exe,?,C:\Users\user\Desktop\4LbgdNQgna.exe,004A8E80,C:\Users\user\Desktop\4LbgdNQgna.exe,0040F3D2), ref: 0040FFCA
                                    • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                  • lstrcmpiW.KERNEL32(?,?), ref: 0045355E
                                  • MoveFileW.KERNEL32(?,?), ref: 0045358E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                  • String ID:
                                  • API String ID: 978794511-0
                                  • Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                  • Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
                                  • Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                  • Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767
                                  Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                  • Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
                                  • Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                  • Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339
                                  Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
                                    • Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
                                    • Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B
                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
                                  • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
                                  • Sleep.KERNEL32(00000000), ref: 00445D70
                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
                                  • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                  • String ID:
                                  • API String ID: 2014098862-0
                                  • Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                  • Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
                                  • Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                  • Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C
                                  Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AddressProc_malloc$_strcat_strlen
                                  • String ID: AU3_FreeVar
                                  • API String ID: 2184576858-771828931
                                  • Opcode ID: 0c8ae277bfce4f6227ebe1b78a96747af57dc4a525e04d776edf31878272b6cd
                                  • Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
                                  • Opcode Fuzzy Hash: 0c8ae277bfce4f6227ebe1b78a96747af57dc4a525e04d776edf31878272b6cd
                                  • Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A
                                  Function 00401D10 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 235COMMON
                                  Download Yara Rule
                                  APIs
                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
                                  • UnregisterHotKey.USER32(?), ref: 0042A778
                                  • FreeLibrary.KERNEL32(?), ref: 0042A822
                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Free$LibrarySendStringUnregisterVirtual
                                  • String ID: close all$Wu
                                  • API String ID: 2389397985-1790509019
                                  • Opcode ID: 9f9deb73285226e6ba240568d142da5fec9cf520cd27fc9a3a2cacaca98377aa
                                  • Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
                                  • Opcode Fuzzy Hash: 9f9deb73285226e6ba240568d142da5fec9cf520cd27fc9a3a2cacaca98377aa
                                  • Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D
                                  Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
                                  • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
                                  • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
                                  • HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61
                                    • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                  • String ID:
                                  • API String ID: 1291720006-3916222277
                                  • Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                  • Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
                                  • Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                  • Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A
                                  Function 0046FD7F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
                                  • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
                                  • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
                                  • GetClientRect.USER32(?,?), ref: 0046FEF2
                                  • DestroyCursor.USER32(?), ref: 0046FFCC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$ClientCursorDestroyExtractIconRect
                                  • String ID: 2
                                  • API String ID: 1821208316-450215437
                                  • Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                  • Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
                                  • Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                  • Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A
                                  Function 00450E7D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: static
                                  • API String ID: 0-2160076837
                                  • Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                  • Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
                                  • Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                  • Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69
                                  Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\4LbgdNQgna.exe,?,C:\Users\user\Desktop\4LbgdNQgna.exe,004A8E80,C:\Users\user\Desktop\4LbgdNQgna.exe,0040F3D2), ref: 0040FFCA
                                  • lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
                                  • MoveFileW.KERNEL32(?,?), ref: 0044BC38
                                  • _wcscat.LIBCMT ref: 0044BCAA
                                  • _wcslen.LIBCMT ref: 0044BCB7
                                  • _wcslen.LIBCMT ref: 0044BCCB
                                  • SHFileOperationW.SHELL32 ref: 0044BD16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                  • String ID: \*.*
                                  • API String ID: 2326526234-1173974218
                                  • Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                  • Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
                                  • Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                  • Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA
                                  Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C
                                  • _wcslen.LIBCMT ref: 004366DD
                                  • GetFileAttributesW.KERNEL32(?), ref: 00436700
                                  • GetLastError.KERNEL32 ref: 0043670F
                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
                                  • _wcsrchr.LIBCMT ref: 0043674C
                                    • Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                  • String ID: \
                                  • API String ID: 321622961-2967466578
                                  • Opcode ID: 1eb455b432650c328f353f4bd1bc621d200bc06401c5471b489e88a9126e4646
                                  • Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
                                  • Opcode Fuzzy Hash: 1eb455b432650c328f353f4bd1bc621d200bc06401c5471b489e88a9126e4646
                                  • Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE
                                  Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __wcsnicmp
                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                  • API String ID: 1038674560-2734436370
                                  • Opcode ID: 8fabdde956d602f6b8b7368bcff20dfc7d0b0c72369e2d81c3549115c9808aba
                                  • Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
                                  • Opcode Fuzzy Hash: 8fabdde956d602f6b8b7368bcff20dfc7d0b0c72369e2d81c3549115c9808aba
                                  • Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA
                                  Function 00448DAF Relevance: 12.2, APIs: 8, Instructions: 173windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53
                                  • SendMessageW.USER32(76C223D0,00001001,00000000,00000000), ref: 00448E73
                                  • SendMessageW.USER32(76C223D0,00001026,00000000,00000000), ref: 00448E7E
                                    • Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                  • String ID:
                                  • API String ID: 3771399671-0
                                  • Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                  • Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
                                  • Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                  • Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769
                                  Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00401257
                                    • Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
                                    • Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
                                    • Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
                                    • Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                  • KillTimer.USER32(?,?), ref: 004012B0
                                  • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
                                  • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
                                  • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
                                  • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
                                  • String ID:
                                  • API String ID: 1792922140-0
                                  • Opcode ID: 91f47cbc1f218a7f09512ea68bd6b482f011e20e77652f43937312b7b91c0350
                                  • Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
                                  • Opcode Fuzzy Hash: 91f47cbc1f218a7f09512ea68bd6b482f011e20e77652f43937312b7b91c0350
                                  • Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB
                                  Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                    • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                    • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                    • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                  • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                    • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                  • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                    • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                  • RtlExitUserThread.NTDLL(00000000), ref: 0041410F
                                  • GetCurrentThreadId.KERNEL32 ref: 00414115
                                  • __freefls@4.LIBCMT ref: 00414135
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritableUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                  • String ID:
                                  • API String ID: 2030478265-0
                                  • Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                  • Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
                                  • Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                  • Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C
                                  Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantClear.OLEAUT32(00000038), ref: 004357C3
                                  • VariantClear.OLEAUT32(00000058), ref: 004357C9
                                  • VariantClear.OLEAUT32(00000068), ref: 004357CF
                                  • VariantClear.OLEAUT32(00000078), ref: 004357D5
                                  • VariantClear.OLEAUT32(00000088), ref: 004357DE
                                  • VariantClear.OLEAUT32(00000048), ref: 004357E4
                                  • VariantClear.OLEAUT32(00000098), ref: 004357ED
                                  • VariantClear.OLEAUT32(000000A8), ref: 004357F6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                  • Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
                                  • Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                  • Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64
                                  Function 00474335 Relevance: 10.8, APIs: 7, Instructions: 308COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31ff441d28c5e927918bd04bcaff178bc0424bc9c98581a0806166e4fd3f8403
                                  • Instruction ID: 1932890218e454eaab518c2d08cf67ea4bcb6b95680f1d85a47b5a5cee1eebd3
                                  • Opcode Fuzzy Hash: 31ff441d28c5e927918bd04bcaff178bc0424bc9c98581a0806166e4fd3f8403
                                  • Instruction Fuzzy Hash: 99A1A1726043009BD710EF65DC82B6BB3E9ABD4718F008E2EF558E7281D779E9448B5A
                                  Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAStartup.WS2_32(00000101,?), ref: 00464ADE
                                    • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                  • inet_addr.WS2_32(?), ref: 00464B1F
                                  • gethostbyname.WS2_32(?), ref: 00464B29
                                  • _memset.LIBCMT ref: 00464B92
                                  • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
                                  • GlobalFree.KERNEL32(00000000), ref: 00464CDE
                                  • WSACleanup.WS2_32 ref: 00464CE4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
                                  • String ID:
                                  • API String ID: 3424476444-0
                                  • Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                  • Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
                                  • Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                  • Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A
                                  Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ConnectRegistry_wcslen
                                  • String ID:
                                  • API String ID: 535477410-0
                                  • Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                  • Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
                                  • Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                  • Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B
                                  Function 0045377F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                    • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                  • _memset.LIBCMT ref: 004538C4
                                  • GetMenuItemInfoW.USER32(?,?), ref: 004538EF
                                  • _wcslen.LIBCMT ref: 00453960
                                  • SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
                                  • String ID: 0
                                  • API String ID: 3530711334-4108050209
                                  • Opcode ID: c8c2b72c749714a23e45c10816ef9459d7fe91b5f095051f547869ed1843acb9
                                  • Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
                                  • Opcode Fuzzy Hash: c8c2b72c749714a23e45c10816ef9459d7fe91b5f095051f547869ed1843acb9
                                  • Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA
                                  Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                    • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                    • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                    • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                    • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                  • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                  • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                  • LineTo.GDI32(?,?), ref: 004474BF
                                  • CloseFigure.GDI32(?), ref: 004474C6
                                  • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                  • Rectangle.GDI32(?,?), ref: 004474F3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                  • String ID:
                                  • API String ID: 4082120231-0
                                  • Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                  • Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
                                  • Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                  • Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA
                                  Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                    • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                    • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                    • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                    • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                  • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                  • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                  • LineTo.GDI32(?,?), ref: 004474BF
                                  • CloseFigure.GDI32(?), ref: 004474C6
                                  • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                  • Rectangle.GDI32(?,?), ref: 004474F3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                  • String ID:
                                  • API String ID: 4082120231-0
                                  • Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                  • Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
                                  • Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                  • Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A
                                  Function 0046A75F Relevance: 10.7, APIs: 7, Instructions: 179registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ConnectRegistry_wcslen
                                  • String ID:
                                  • API String ID: 535477410-0
                                  • Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                  • Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
                                  • Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                  • Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97
                                  Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AngleCloseEllipseFigureLineMovePixelRectangle
                                  • String ID:
                                  • API String ID: 288456094-0
                                  • Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                  • Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
                                  • Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                  • Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A
                                  Function 0046EA7F Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                  • DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
                                  • DeleteObject.GDI32(00780045), ref: 0046EB4F
                                  • DestroyCursor.USER32(00740069), ref: 0046EB67
                                  • DeleteObject.GDI32(3F077B75), ref: 0046EB7F
                                  • DestroyCursor.USER32(?), ref: 0046EBBF
                                  • DestroyCursor.USER32(?), ref: 0046EBCD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Destroy$Cursor$DeleteObject$AcceleratorInvalidateRectTable
                                  • String ID:
                                  • API String ID: 3205914843-0
                                  • Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                  • Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
                                  • Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                  • Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E
                                  Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 004449B0
                                  • GetKeyboardState.USER32(?), ref: 004449C3
                                  • SetKeyboardState.USER32(?), ref: 00444A0F
                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$Parent
                                  • String ID:
                                  • API String ID: 87235514-0
                                  • Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                  • Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
                                  • Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                  • Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769
                                  Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 00444BA9
                                  • GetKeyboardState.USER32(?), ref: 00444BBC
                                  • SetKeyboardState.USER32(?), ref: 00444C08
                                  • PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
                                  • PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
                                  • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
                                  • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$Parent
                                  • String ID:
                                  • API String ID: 87235514-0
                                  • Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                  • Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
                                  • Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                  • Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769
                                  Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00457C34
                                  • _memset.LIBCMT ref: 00457CE8
                                  • ShellExecuteExW.SHELL32(?), ref: 00457D34
                                    • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                    • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                  • CloseHandle.KERNEL32(?), ref: 00457DDD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
                                  • String ID: <$@
                                  • API String ID: 1325244542-1426351568
                                  • Opcode ID: bce0cc86945754dfb230170ecd4c21a915d6526e7c9b1e7fd723952314da78dd
                                  • Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
                                  • Opcode Fuzzy Hash: bce0cc86945754dfb230170ecd4c21a915d6526e7c9b1e7fd723952314da78dd
                                  • Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A
                                  Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
                                  • __wsplitpath.LIBCMT ref: 004737E1
                                    • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                  • _wcscat.LIBCMT ref: 004737F6
                                  • __wcsicoll.LIBCMT ref: 00473818
                                  • Process32NextW.KERNEL32(00000000,?), ref: 00473844
                                  • CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                  • String ID:
                                  • API String ID: 2547909840-0
                                  • Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                  • Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
                                  • Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                  • Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA
                                  Function 00463D7E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
                                  • GetProcAddress.KERNEL32(?,?), ref: 00463E68
                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
                                  • GetProcAddress.KERNEL32(?,?), ref: 00463ECE
                                  • FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AddressProc$Library$FreeLoad
                                  • String ID: Wu
                                  • API String ID: 2449869053-4083010176
                                  • Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                  • Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
                                  • Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                  • Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA
                                  Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                  • GetMenu.USER32 ref: 004776AA
                                  • GetMenuItemCount.USER32(00000000), ref: 004776CC
                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
                                  • _wcslen.LIBCMT ref: 0047771A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Menu$CountItemStringWindow_wcslen
                                  • String ID:
                                  • API String ID: 1823500076-0
                                  • Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                  • Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
                                  • Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                  • Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9
                                  Function 00448877 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
                                  • SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
                                  • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                  • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                  • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                  • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                  • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$Enable$Show$MessageMoveSend
                                  • String ID:
                                  • API String ID: 896007046-0
                                  • Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                  • Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
                                  • Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                  • Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59
                                  Function 0044849C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 004484C4
                                  • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
                                  • IsMenu.USER32(?), ref: 0044857B
                                  • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
                                  • DrawMenuBar.USER32 ref: 004485E4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Menu$Item$DrawInfoInsert_memset
                                  • String ID: 0
                                  • API String ID: 3866635326-4108050209
                                  • Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                  • Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
                                  • Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                  • Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A
                                  Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedIncrement.KERNEL32 ref: 0047247C
                                  • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
                                  • Sleep.KERNEL32(0000000A), ref: 00472499
                                  • InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
                                  • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Interlocked$DecrementIncrement$Sleep
                                  • String ID: 0vH
                                  • API String ID: 327565842-3662162768
                                  • Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                  • Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
                                  • Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                  • Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED
                                  Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
                                  • GetFocus.USER32 ref: 00448B1C
                                  • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                  • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                  • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                  • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                  • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$Enable$Show$FocusMessageSend
                                  • String ID:
                                  • API String ID: 3429747543-0
                                  • Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                  • Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
                                  • Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                  • Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719
                                  Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
                                  • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
                                  • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: Msctls_Progress32
                                  • API String ID: 3850602802-3636473452
                                  • Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                  • Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
                                  • Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                  • Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58
                                  Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 00415737
                                  • __calloc_crt.LIBCMT ref: 00415743
                                  • __getptd.LIBCMT ref: 00415750
                                  • CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
                                  • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
                                  • __dosmaperr.LIBCMT ref: 004157A9
                                    • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                    • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                  • String ID:
                                  • API String ID: 1269668773-0
                                  • Opcode ID: 0d7b65c6ab38dbefdfd62d93c8bf275ac45e934a4136d591895be9c5171332a1
                                  • Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
                                  • Opcode Fuzzy Hash: 0d7b65c6ab38dbefdfd62d93c8bf275ac45e934a4136d591895be9c5171332a1
                                  • Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D
                                  Function 004140CF Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                  • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                    • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                    • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                    • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                  • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                    • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                  • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                    • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                  • RtlExitUserThread.NTDLL(00000000), ref: 0041410F
                                  • GetCurrentThreadId.KERNEL32 ref: 00414115
                                  • __freefls@4.LIBCMT ref: 00414135
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritableUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                  • String ID:
                                  • API String ID: 3333014375-0
                                  • Opcode ID: 234ab307b5c40b08ea0c1433cc5e64915265a7813faf8dc664d6b0a8a95377c8
                                  • Instruction ID: 911ed986ec53ede6ef0b83571fa98f68ea879814fd42304df77ef2b59abdac01
                                  • Opcode Fuzzy Hash: 234ab307b5c40b08ea0c1433cc5e64915265a7813faf8dc664d6b0a8a95377c8
                                  • Instruction Fuzzy Hash: 6201A171400205BBCB003FB6DC0E5DF76ACAF95399B22086EFA0193212DA7CC9C1866D
                                  Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
                                    • Part of subcall function 00438FE4: RtlAllocateHeap.NTDLL(00000000), ref: 00438FEF
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
                                  • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
                                  • DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
                                  • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
                                  • CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                  • String ID:
                                  • API String ID: 1422014791-0
                                  • Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                  • Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
                                  • Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                  • Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65
                                  Function 0041567F Relevance: 10.5, APIs: 7, Instructions: 41threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                  • ___set_flsgetvalue.LIBCMT ref: 00415690
                                    • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                    • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                    • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                  • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                    • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                  • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                    • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                  • RtlExitUserThread.NTDLL(00000000), ref: 004156BD
                                  • __freefls@4.LIBCMT ref: 004156D9
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThreadUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                  • String ID:
                                  • API String ID: 3429761990-0
                                  • Opcode ID: 68f8895410578a6558ff0b3d5985a9e6c93f505c3c296d3eff7805ab3ee2bdad
                                  • Instruction ID: 437946ba33081a53f8e8a37eff8b1c0e9594209f2053f9d7bb117d63c1528b40
                                  • Opcode Fuzzy Hash: 68f8895410578a6558ff0b3d5985a9e6c93f505c3c296d3eff7805ab3ee2bdad
                                  • Instruction Fuzzy Hash: 88016274500705ABD704BFB2DD199DE7B69AF84349B21C86FB90897222DA3DC9C1CB9C
                                  Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 00415690
                                    • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                    • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                    • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                  • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                    • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                  • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                    • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                  • RtlExitUserThread.NTDLL(00000000), ref: 004156BD
                                  • __freefls@4.LIBCMT ref: 004156D9
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThreadUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                  • String ID:
                                  • API String ID: 944295313-0
                                  • Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                  • Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
                                  • Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                  • Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C
                                  Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
                                  • API String ID: 2574300362-3261711971
                                  • Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                  • Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
                                  • Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                  • Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68
                                  Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 00433724
                                  • GetWindowRect.USER32(00000000,?), ref: 00433757
                                  • GetClientRect.USER32(0000001D,?), ref: 004337AC
                                  • GetSystemMetrics.USER32(0000000F), ref: 00433800
                                  • GetWindowRect.USER32(?,?), ref: 00433814
                                  • ScreenToClient.USER32(?,?), ref: 00433842
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Rect$Client$Window$MetricsScreenSystem
                                  • String ID:
                                  • API String ID: 3220332590-0
                                  • Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                  • Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
                                  • Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                  • Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A
                                  Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _malloc_wcslen$_strcat_wcscpy
                                  • String ID:
                                  • API String ID: 1612042205-0
                                  • Opcode ID: b8a3413a850b3e9d022a14bc02158d0a95917de16b2476bc53e0af5cb97ab780
                                  • Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
                                  • Opcode Fuzzy Hash: b8a3413a850b3e9d022a14bc02158d0a95917de16b2476bc53e0af5cb97ab780
                                  • Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A
                                  Function 0046BB59 Relevance: 9.2, APIs: 6, Instructions: 168networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ErrorLastselect
                                  • String ID:
                                  • API String ID: 215497628-0
                                  • Opcode ID: 0de0448ade90d459e176b7eabd0eb7793c39b194d41e4bdd7ff4fb8690f4e17f
                                  • Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
                                  • Opcode Fuzzy Hash: 0de0448ade90d459e176b7eabd0eb7793c39b194d41e4bdd7ff4fb8690f4e17f
                                  • Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA
                                  Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
                                  • SetKeyboardState.USER32(00000080), ref: 0044C59B
                                  • PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
                                  • PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
                                  • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
                                  • SendInput.USER32 ref: 0044C6E2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$InputSend
                                  • String ID:
                                  • API String ID: 2221674350-0
                                  • Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                  • Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
                                  • Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                  • Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA
                                  Function 00455297 Relevance: 9.1, APIs: 6, Instructions: 149windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
                                  • 6FAA0200.COMCTL32(?,?,?,?), ref: 004552EB
                                  • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
                                  • DeleteObject.GDI32(?), ref: 0045564E
                                  • DeleteObject.GDI32(?), ref: 0045565C
                                  • DestroyCursor.USER32(?), ref: 0045566A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DeleteMessageObjectSend$A0200CursorDestroy
                                  • String ID:
                                  • API String ID: 1376768940-0
                                  • Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                  • Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
                                  • Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                  • Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54
                                  Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcscpy$_wcscat
                                  • String ID:
                                  • API String ID: 2037614760-0
                                  • Opcode ID: 43efba16cd806b31402fe34b2becc3a5af32a5b4a383a164d4ea5773e04486ac
                                  • Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
                                  • Opcode Fuzzy Hash: 43efba16cd806b31402fe34b2becc3a5af32a5b4a383a164d4ea5773e04486ac
                                  • Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE
                                  Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
                                  • GetWindowRect.USER32(?,?), ref: 00447C1B
                                  • ScreenToClient.USER32(?,?), ref: 00447C39
                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                  • EndPaint.USER32(?,?), ref: 00447CD1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                  • String ID:
                                  • API String ID: 4189319755-0
                                  • Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                  • Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
                                  • Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                  • Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69
                                  Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490
                                    • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
                                  • RtlEnterCriticalSection.NTDLL(00000000), ref: 0044B4E3
                                  • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0044B5A0
                                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB
                                    • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                    • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                    • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                  • String ID:
                                  • API String ID: 1726766782-0
                                  • Opcode ID: d1f4c8b32701f3515452156a35d83f93081eba70680028f938022ee8972e20b1
                                  • Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
                                  • Opcode Fuzzy Hash: d1f4c8b32701f3515452156a35d83f93081eba70680028f938022ee8972e20b1
                                  • Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A
                                  Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
                                  • EnableWindow.USER32(?,00000000), ref: 0044111A
                                  • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
                                  • ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
                                  • EnableWindow.USER32(?,00000001), ref: 004411B3
                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$Show$Enable$MessageSend
                                  • String ID:
                                  • API String ID: 642888154-0
                                  • Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                  • Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
                                  • Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                  • Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55
                                  Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 00442597
                                    • Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3
                                  • GetDesktopWindow.USER32 ref: 004425BF
                                  • GetWindowRect.USER32(00000000), ref: 004425C6
                                  • mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5
                                    • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                  • GetCursorPos.USER32(?), ref: 00442624
                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                  • String ID:
                                  • API String ID: 4137160315-0
                                  • Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                  • Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
                                  • Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                  • Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6
                                  Function 00441561 Relevance: 9.1, APIs: 6, Instructions: 101windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteObject.GDI32(?), ref: 0044157D
                                  • 73F7A570.USER32(00000000,?,?,?,?,?,0045193C,?,?,?,?,000000FF,?,?,00000001,?), ref: 00441585
                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$A570CreateDeleteFontMoveObjectWindow
                                  • String ID:
                                  • API String ID: 1051003937-0
                                  • Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                  • Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
                                  • Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                  • Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64
                                  Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
                                  • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                  • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                  • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                  • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                  • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$Enable$Show$MessageSend
                                  • String ID:
                                  • API String ID: 1871949834-0
                                  • Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                  • Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
                                  • Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                  • Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A
                                  Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0044961A
                                  • SendMessageW.USER32 ref: 0044964A
                                    • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
                                  • _wcslen.LIBCMT ref: 004496BA
                                  • _wcslen.LIBCMT ref: 004496C7
                                  • SendMessageW.USER32(?,00001074,?,?), ref: 004496FD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$_wcslen$_memset_wcspbrk
                                  • String ID:
                                  • API String ID: 1624073603-0
                                  • Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                  • Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
                                  • Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                  • Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6
                                  Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __fileno__setmode$DebugOutputString_fprintf
                                  • String ID:
                                  • API String ID: 3354276064-0
                                  • Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                  • Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
                                  • Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                  • Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF
                                  Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 0041418F
                                  • __calloc_crt.LIBCMT ref: 0041419B
                                  • __getptd.LIBCMT ref: 004141A8
                                  • CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
                                  • __dosmaperr.LIBCMT ref: 00414201
                                    • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                    • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                  • String ID:
                                  • API String ID: 1803633139-0
                                  • Opcode ID: 375e199de8660ccece12c72eed21f404e356b520747db73c6127e63f80a42fd2
                                  • Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
                                  • Opcode Fuzzy Hash: 375e199de8660ccece12c72eed21f404e356b520747db73c6127e63f80a42fd2
                                  • Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68
                                  Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcslen$_wcstok$ExtentPoint32Text
                                  • String ID:
                                  • API String ID: 1814673581-0
                                  • Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                  • Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
                                  • Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                  • Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA
                                  Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                  • String ID:
                                  • API String ID: 2833360925-0
                                  • Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                  • Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
                                  • Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                  • Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96
                                  Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                    • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                    • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                    • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                    • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
                                  • LineTo.GDI32(?,?,?), ref: 00447227
                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
                                  • LineTo.GDI32(?,?,?), ref: 0044723D
                                  • EndPath.GDI32(?), ref: 0044724E
                                  • StrokePath.GDI32(?), ref: 0044725C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                  • String ID:
                                  • API String ID: 372113273-0
                                  • Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                  • Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
                                  • Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                  • Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD
                                  Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Virtual
                                  • String ID:
                                  • API String ID: 4278518827-0
                                  • Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                  • Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
                                  • Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                  • Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA
                                  Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
                                  • RtlEnterCriticalSection.NTDLL(0042A321), ref: 0044B67B
                                  • TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
                                    • Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9
                                  • InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
                                  • RtlLeaveCriticalSection.NTDLL(0042A321), ref: 0044B6AF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                  • String ID:
                                  • API String ID: 3495660284-0
                                  • Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                  • Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
                                  • Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                  • Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA
                                  Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00437150
                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
                                  • CloseHandle.KERNEL32(00000000), ref: 00437174
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                  • String ID:
                                  • API String ID: 839392675-0
                                  • Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                  • Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
                                  • Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                  • Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE
                                  Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\4LbgdNQgna.exe,00000004), ref: 00436055
                                  • LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
                                  • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
                                  • GetLastError.KERNEL32 ref: 00436081
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00436091
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                                  • String ID:
                                  • API String ID: 1690418490-0
                                  • Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                  • Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
                                  • Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                  • Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8
                                  Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Menu$Delete$InfoItem_memset
                                  • String ID: 0
                                  • API String ID: 1173514356-4108050209
                                  • Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                  • Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
                                  • Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                  • Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6
                                  Function 00437CA6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 107libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?), ref: 00437CB2
                                  • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
                                  • FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Library$AddressFreeLoadProc
                                  • String ID: AU3_GetPluginDetails$Wu
                                  • API String ID: 145871493-136108093
                                  • Opcode ID: 86e4c61e32d2ed878dfd7fe720ec64e92d9a8cb9aafa3c38a6749b64446316ec
                                  • Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
                                  • Opcode Fuzzy Hash: 86e4c61e32d2ed878dfd7fe720ec64e92d9a8cb9aafa3c38a6749b64446316ec
                                  • Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96
                                  Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
                                  • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB
                                    • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 763830540-1403004172
                                  • Opcode ID: 7f2c4204b424c93c7ac22b89fbd31dfb367e10b18f94ca1fc21d6a87b04bc3c1
                                  • Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
                                  • Opcode Fuzzy Hash: 7f2c4204b424c93c7ac22b89fbd31dfb367e10b18f94ca1fc21d6a87b04bc3c1
                                  • Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E
                                  Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(?), ref: 004439B4
                                    • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,75572EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                    • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                    • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CurrentHandleProcess$Duplicate
                                  • String ID: nul
                                  • API String ID: 2124370227-2873401336
                                  • Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                  • Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
                                  • Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                  • Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6
                                  Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F6), ref: 004438B7
                                    • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,75572EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                    • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                    • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CurrentHandleProcess$Duplicate
                                  • String ID: nul
                                  • API String ID: 2124370227-2873401336
                                  • Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                  • Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
                                  • Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                  • Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56
                                  Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
                                  • TranslateMessage.USER32(?), ref: 0044308B
                                  • DispatchMessageW.USER32(?), ref: 00443096
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Message$Peek$DispatchTranslate
                                  • String ID: *.*
                                  • API String ID: 1795658109-438819550
                                  • Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                  • Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
                                  • Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                  • Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E
                                  Function 0045D321 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D32F
                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
                                  • __swprintf.LIBCMT ref: 0045D3CC
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ErrorMode$InformationVolume__swprintf
                                  • String ID: %lu
                                  • API String ID: 3164766367-685833217
                                  • Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                  • Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
                                  • Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                  • Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A
                                  Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _memset$_sprintf
                                  • String ID: %02X
                                  • API String ID: 891462717-436463671
                                  • Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                  • Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
                                  • Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                  • Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E
                                  Function 0040F3B0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0042CD00
                                    • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\4LbgdNQgna.exe,?,C:\Users\user\Desktop\4LbgdNQgna.exe,004A8E80,C:\Users\user\Desktop\4LbgdNQgna.exe,0040F3D2), ref: 0040FFCA
                                    • Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
                                    • Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
                                    • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
                                    • Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
                                    • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC
                                    • Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Path$FullName_wcscpy$DesktopFolderFromListMalloc_memset
                                  • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
                                  • API String ID: 1198364232-1954568251
                                  • Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                  • Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
                                  • Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                  • Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A
                                  Function 0047B1D0 Relevance: 8.0, APIs: 5, Instructions: 489COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                  • Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
                                  • Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                  • Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA
                                  Function 0047395A Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32(?), ref: 00473A00
                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
                                  • CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Process$CloseCountersCurrentHandleOpen
                                  • String ID:
                                  • API String ID: 3488606520-0
                                  • Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                  • Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
                                  • Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                  • Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96
                                  Function 004498BD Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                  • Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
                                  • Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                  • Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA
                                  Function 0046A98D Relevance: 7.7, APIs: 5, Instructions: 158registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ConnectRegistry_wcslen
                                  • String ID:
                                  • API String ID: 535477410-0
                                  • Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                  • Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
                                  • Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                  • Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B
                                  Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
                                  • SetKeyboardState.USER32(00000080), ref: 0044C3ED
                                  • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
                                  • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
                                  • SendInput.USER32 ref: 0044C509
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: KeyboardMessagePostState$InputSend
                                  • String ID:
                                  • API String ID: 3031425849-0
                                  • Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                  • Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
                                  • Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                  • Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A
                                  Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExW.ADVAPI32 ref: 004422F0
                                  • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0044234E
                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
                                  • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Enum$CloseDeleteOpen
                                  • String ID:
                                  • API String ID: 2095303065-0
                                  • Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                  • Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
                                  • Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                  • Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A
                                  Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
                                  • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
                                  • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
                                  • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: PrivateProfile$SectionWrite$String
                                  • String ID:
                                  • API String ID: 2832842796-0
                                  • Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                  • Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
                                  • Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                  • Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94
                                  Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00447C1B
                                  • ScreenToClient.USER32(?,?), ref: 00447C39
                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                  • EndPaint.USER32(?,?), ref: 00447CD1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ClientPaintRectRectangleScreenViewportWindow
                                  • String ID:
                                  • API String ID: 659298297-0
                                  • Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                  • Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
                                  • Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                  • Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69
                                  Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                  • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                  • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                  • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                  • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                    • Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                    • Part of subcall function 004413F0: SendMessageW.USER32(02F81B28,000000F1,00000000,00000000), ref: 004414C6
                                    • Part of subcall function 004413F0: SendMessageW.USER32(02F81B28,000000F1,00000001,00000000), ref: 004414F1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$EnableMessageSend$Show
                                  • String ID:
                                  • API String ID: 476717838-0
                                  • Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                  • Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
                                  • Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                  • Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E
                                  Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0044955A
                                    • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                  • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
                                  • _wcslen.LIBCMT ref: 004495C1
                                  • _wcslen.LIBCMT ref: 004495CE
                                  • SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend_wcslen$_memset_wcspbrk
                                  • String ID:
                                  • API String ID: 1843234404-0
                                  • Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                  • Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
                                  • Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                  • Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA
                                  Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindowVisible.USER32(?), ref: 00445721
                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
                                  • _wcslen.LIBCMT ref: 004457A3
                                  • CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                  • String ID:
                                  • API String ID: 3087257052-0
                                  • Opcode ID: 707967777abbcb615846d4014dd15678eb91240126a64b2d293a4799175c36b7
                                  • Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
                                  • Opcode Fuzzy Hash: 707967777abbcb615846d4014dd15678eb91240126a64b2d293a4799175c36b7
                                  • Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA
                                  Function 00455080 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Destroy$DeleteMenuObject$Cursor
                                  • String ID:
                                  • API String ID: 1736985952-0
                                  • Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                  • Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
                                  • Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                  • Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59
                                  Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004647A2: inet_addr.WS2_32(?), ref: 004647C7
                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00464985
                                  • WSAGetLastError.WS2_32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
                                  • connect.WS2_32(00000000,00000000,00000010), ref: 004649CD
                                  • WSAGetLastError.WS2_32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
                                  • closesocket.WS2_32(00000000), ref: 00464A07
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                  • String ID:
                                  • API String ID: 245547762-0
                                  • Opcode ID: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                  • Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
                                  • Opcode Fuzzy Hash: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                  • Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A
                                  Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteObject.GDI32(00000000), ref: 00447151
                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                  • SelectObject.GDI32(?,00000000), ref: 004471A2
                                  • BeginPath.GDI32(?), ref: 004471B7
                                  • SelectObject.GDI32(?,00000000), ref: 004471DC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Object$Select$BeginCreateDeletePath
                                  • String ID:
                                  • API String ID: 2338827641-0
                                  • Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                  • Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
                                  • Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                  • Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69
                                  Function 004554C0 Relevance: 7.6, APIs: 5, Instructions: 61windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32 ref: 004554DF
                                  • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
                                  • DeleteObject.GDI32(?), ref: 0045564E
                                  • DeleteObject.GDI32(?), ref: 0045565C
                                  • DestroyCursor.USER32(?), ref: 0045566A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DeleteMessageObjectSend$CursorDestroy
                                  • String ID:
                                  • API String ID: 200077650-0
                                  • Opcode ID: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                  • Instruction ID: ead105b7aa3a144aa2df3f4c31681f961a0d6b706109639263d1a652a664e8ec
                                  • Opcode Fuzzy Hash: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                  • Instruction Fuzzy Hash: A5118F713046419BDB10DF68DD88A2A77A8FB58322F404A2AFE14DB2D1D775DC498B68
                                  Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
                                  • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
                                  • Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CounterPerformanceQuerySleep
                                  • String ID:
                                  • API String ID: 2875609808-0
                                  • Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                  • Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
                                  • Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                  • Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A
                                  Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32 ref: 0046FD00
                                  • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
                                  • SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
                                  • DestroyCursor.USER32(?), ref: 0046FD58
                                  • DestroyCursor.USER32(?), ref: 0046FD5F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$CursorDestroy
                                  • String ID:
                                  • API String ID: 1839592766-0
                                  • Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                  • Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
                                  • Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                  • Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67
                                  Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 004175AE
                                    • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                    • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                  • __amsg_exit.LIBCMT ref: 004175CE
                                  • __lock.LIBCMT ref: 004175DE
                                  • InterlockedDecrement.KERNEL32(?), ref: 004175FB
                                  • InterlockedIncrement.KERNEL32(02F82D00), ref: 00417626
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                  • String ID:
                                  • API String ID: 4271482742-0
                                  • Opcode ID: cef6af0c730a10c674891530ba4a9f92a8997b3b581fa775581189220e01fce3
                                  • Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
                                  • Opcode Fuzzy Hash: cef6af0c730a10c674891530ba4a9f92a8997b3b581fa775581189220e01fce3
                                  • Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE
                                  Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,000003E9), ref: 00460342
                                  • GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
                                  • MessageBeep.USER32(00000000), ref: 0046036D
                                  • KillTimer.USER32(?,0000040A), ref: 00460392
                                  • EndDialog.USER32(?,00000001), ref: 004603AB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                  • String ID:
                                  • API String ID: 3741023627-0
                                  • Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                  • Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
                                  • Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                  • Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55
                                  Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                  • String ID:
                                  • API String ID: 2625713937-0
                                  • Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                  • Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
                                  • Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                  • Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD
                                  Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _malloc
                                  • String ID: Default$|k
                                  • API String ID: 1579825452-2254895183
                                  • Opcode ID: 3487a4ebd3b6326aef9d7885c20b94cf9b3333ebd549fd878091b2165ba8d13b
                                  • Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
                                  • Opcode Fuzzy Hash: 3487a4ebd3b6326aef9d7885c20b94cf9b3333ebd549fd878091b2165ba8d13b
                                  • Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B
                                  Function 0044F0B1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _memcmp
                                  • String ID: '$[$h
                                  • API String ID: 2931989736-1224472061
                                  • Opcode ID: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                  • Instruction ID: c2eec353cbd26a418970a1643da97c958d9efd09d44d369c5aec2a2e92b02032
                                  • Opcode Fuzzy Hash: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                  • Instruction Fuzzy Hash: EBE1B3756083858FE725CF28C8807ABBBE1FFC9304F18896EE89587341D7799849CB56
                                  Function 0044F1F5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _strncmp
                                  • String ID: >$R$U
                                  • API String ID: 909875538-1924298640
                                  • Opcode ID: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
                                  • Instruction ID: f6794502b7c89560a677b30a08de70cb8bc1b17d125f16f135907c58c8460d8d
                                  • Opcode Fuzzy Hash: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
                                  • Instruction Fuzzy Hash: 46E19C745083818FEB25CF29C49076BBBE1EFD9304F28496EE89587381D378E849CB56
                                  Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                  • CoInitialize.OLE32(00000000), ref: 0046CE18
                                  • CoCreateInstance.COMBASE(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                                  • CoUninitialize.COMBASE ref: 0046CE50
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                  • String ID: .lnk
                                  • API String ID: 886957087-24824748
                                  • Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                  • Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
                                  • Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                  • Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6
                                  Function 00475ACA Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 237comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                  • CoInitialize.OLE32(00000000), ref: 00475B71
                                  • CoCreateInstance.COMBASE(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
                                  • CoUninitialize.COMBASE ref: 00475D71
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                  • String ID: .lnk
                                  • API String ID: 886957087-24824748
                                  • Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                  • Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
                                  • Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                  • Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99
                                  Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                                  Download Yara Rule
                                  Strings
                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                  • API String ID: 176396367-557222456
                                  • Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                  • Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
                                  • Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                  • Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B
                                  Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2
                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8
                                    • Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5
                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
                                  • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$MemoryProcess$ReadWrite
                                  • String ID: @
                                  • API String ID: 4055202900-2766056989
                                  • Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                  • Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
                                  • Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                  • Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66
                                  Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CrackInternet_memset_wcslen
                                  • String ID: |
                                  • API String ID: 915713708-2343686810
                                  • Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                  • Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
                                  • Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                  • Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6
                                  Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
                                  • HttpQueryInfoW.WININET ref: 0044A892
                                    • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                  • String ID:
                                  • API String ID: 3705125965-3916222277
                                  • Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                  • Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
                                  • Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                  • Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A
                                  Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
                                  • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
                                  • MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$MoveWindow
                                  • String ID: Listbox
                                  • API String ID: 3315199576-2633736733
                                  • Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                  • Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
                                  • Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                  • Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729
                                  Function 004412AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowlibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
                                  • LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
                                  • SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$LibraryLoad
                                  • String ID: SysAnimate32
                                  • API String ID: 3205928328-1011021900
                                  • Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                  • Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
                                  • Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                  • Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729
                                  Function 004609BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                    • Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                    • Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                    • Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
                                    • Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1
                                  • GetFocus.USER32 ref: 004609EF
                                    • Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
                                    • Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04
                                  • GetClassNameW.USER32(?,?,00000100), ref: 00460A37
                                  • __swprintf.LIBCMT ref: 00460A7A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Thread$Parent$AttachClassCurrentFocusInputMessageNameProcessSendTimeoutWindow__swprintf_wcslen
                                  • String ID: %s%d
                                  • API String ID: 2272629743-1110647743
                                  • Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                  • Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
                                  • Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                  • Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A
                                  Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
                                  • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: msctls_trackbar32
                                  • API String ID: 3850602802-1010561917
                                  • Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                  • Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
                                  • Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                  • Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68
                                  Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                  • GetMenuItemInfoW.USER32 ref: 004497EA
                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
                                  • DrawMenuBar.USER32 ref: 00449828
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Menu$InfoItem$Draw_malloc
                                  • String ID: 0
                                  • API String ID: 772068139-4108050209
                                  • Opcode ID: aba2b2f37e8aede0e07af882035f7c7ba327ed0a8d43e4983355c33413849c0f
                                  • Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
                                  • Opcode Fuzzy Hash: aba2b2f37e8aede0e07af882035f7c7ba327ed0a8d43e4983355c33413849c0f
                                  • Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76
                                  Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AllocTask_wcslen
                                  • String ID: hkG
                                  • API String ID: 2651040394-3610518997
                                  • Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                  • Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
                                  • Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                  • Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5
                                  Function 004531B3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044B64F: InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
                                    • Part of subcall function 0044B64F: RtlEnterCriticalSection.NTDLL(0042A321), ref: 0044B67B
                                    • Part of subcall function 0044B64F: TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
                                    • Part of subcall function 0044B64F: WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
                                    • Part of subcall function 0044B64F: InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
                                    • Part of subcall function 0044B64F: RtlLeaveCriticalSection.NTDLL(0042A321), ref: 0044B6AF
                                  • CloseHandle.KERNEL32(?), ref: 004531CD
                                  • CloseHandle.KERNEL32(?), ref: 004531D3
                                  • RtlDeleteCriticalSection.NTDLL(?), ref: 004531E5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CriticalSection$CloseExchangeHandleInterlocked$DeleteEnterLeaveObjectSingleTerminateThreadWait
                                  • String ID: 8E
                                  • API String ID: 2929296749-1085311475
                                  • Opcode ID: c61f13eb59cfec71f35fe65c61819763ea027a7e76d08ad69ff2ca2c41b35a06
                                  • Instruction ID: 0a6328ff2974cbb42b4f3c5e04a925075b5ca64496294cc8de57381fdb2f6802
                                  • Opcode Fuzzy Hash: c61f13eb59cfec71f35fe65c61819763ea027a7e76d08ad69ff2ca2c41b35a06
                                  • Instruction Fuzzy Hash: F4E092724007009BC320BFA9E845C8BF7ECAE983103114C1FE441D3210D7B8F441CBA9
                                  Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                  • API String ID: 2574300362-1816364905
                                  • Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                  • Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
                                  • Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                  • Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8
                                  Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,00000000,?,?,00000101,?,?), ref: 004343DE
                                  • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: ICMP.DLL$IcmpSendEcho
                                  • API String ID: 2574300362-58917771
                                  • Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                  • Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
                                  • Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                  • Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79
                                  Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
                                  • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: ICMP.DLL$IcmpCloseHandle
                                  • API String ID: 2574300362-3530519716
                                  • Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                  • Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
                                  • Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                  • Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39
                                  Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
                                  • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: ICMP.DLL$IcmpCreateFile
                                  • API String ID: 2574300362-275556492
                                  • Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                  • Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
                                  • Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                  • Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29
                                  Function 0040EE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,0040E551,?), ref: 0040EE7B
                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: IsWow64Process$kernel32.dll
                                  • API String ID: 2574300362-3024904723
                                  • Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                  • Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
                                  • Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                  • Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28
                                  Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: c8a8680659340ce3ae7b61d15611f915275d61821cdaab737acf418eefb31e18
                                  • Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
                                  • Opcode Fuzzy Hash: c8a8680659340ce3ae7b61d15611f915275d61821cdaab737acf418eefb31e18
                                  • Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A
                                  Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                  • VariantCopy.OLEAUT32(?,?), ref: 00478259
                                  • VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                  • VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CopyVariant$ErrorLast
                                  • String ID:
                                  • API String ID: 2286883814-0
                                  • Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                  • Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
                                  • Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                  • Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99
                                  Function 00441CB4 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                  • GetWindowRect.USER32(?,?), ref: 00441D5A
                                  • PtInRect.USER32(?,?,?), ref: 00441D6F
                                  • MessageBeep.USER32(00000000), ref: 00441DF2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Rect$BeepClientMessageScreenWindow
                                  • String ID:
                                  • API String ID: 1352109105-0
                                  • Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                  • Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
                                  • Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                  • Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5
                                  Function 00449063 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
                                  • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
                                  • SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$InvalidateRect
                                  • String ID:
                                  • API String ID: 2778011698-0
                                  • Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                  • Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
                                  • Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                  • Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729
                                  Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
                                  • __isleadbyte_l.LIBCMT ref: 004238B2
                                  • MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
                                  • MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                  • String ID:
                                  • API String ID: 3058430110-0
                                  • Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                  • Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
                                  • Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                  • Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55
                                  Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
                                  • GetLastError.KERNEL32(?,00000000), ref: 0045D12B
                                  • DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
                                  • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                  • String ID:
                                  • API String ID: 3321077145-0
                                  • Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                  • Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
                                  • Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                  • Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68
                                  Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95
                                    • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                  • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
                                  • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
                                  • __itow.LIBCMT ref: 00461461
                                  • __itow.LIBCMT ref: 004614AB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend$__itow$_wcslen
                                  • String ID:
                                  • API String ID: 2875217250-0
                                  • Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                  • Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
                                  • Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                  • Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB
                                  Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 00472806
                                    • Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
                                    • Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
                                    • Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F
                                  • GetCaretPos.USER32(?), ref: 0047281A
                                  • ClientToScreen.USER32(00000000,?), ref: 00472856
                                  • GetForegroundWindow.USER32 ref: 0047285C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                  • String ID:
                                  • API String ID: 2759813231-0
                                  • Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                  • Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
                                  • Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                  • Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795
                                  Function 0045552E Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
                                  • DeleteObject.GDI32(?), ref: 0045564E
                                  • DeleteObject.GDI32(?), ref: 0045565C
                                  • DestroyCursor.USER32(?), ref: 0045566A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DeleteObject$CursorDestroyMoveWindow
                                  • String ID:
                                  • API String ID: 3883585953-0
                                  • Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                  • Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
                                  • Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                  • Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69
                                  Function 00439326 Relevance: 6.1, APIs: 4, Instructions: 72processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
                                  • OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
                                  • CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                  • String ID:
                                  • API String ID: 2621361867-0
                                  • Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                  • Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
                                  • Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                  • Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25
                                  Function 00459DCF Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindow.USER32(00000000), ref: 00459DEF
                                  • GetForegroundWindow.USER32 ref: 00459E07
                                  • 73F7A570.USER32(00000000,?,00000000,00000000), ref: 00459E44
                                  • GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$A570ForegroundPixel
                                  • String ID:
                                  • API String ID: 3422921477-0
                                  • Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                  • Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
                                  • Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                  • Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9
                                  Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • select.WS2_32 ref: 0045890A
                                  • __WSAFDIsSet.WS2_32(00000000,00000000), ref: 00458919
                                  • accept.WS2_32(00000000,00000000,00000000), ref: 00458927
                                  • WSAGetLastError.WS2_32(00000000), ref: 00458952
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ErrorLastacceptselect
                                  • String ID:
                                  • API String ID: 385091864-0
                                  • Opcode ID: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                  • Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
                                  • Opcode Fuzzy Hash: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                  • Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99
                                  Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                  • Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
                                  • Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                  • Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1
                                  Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
                                  • GetStockObject.GDI32(00000011), ref: 00433695
                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
                                  • ShowWindow.USER32(00000000,00000000), ref: 004336BA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Window$CreateMessageObjectSendShowStock
                                  • String ID:
                                  • API String ID: 1358664141-0
                                  • Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                  • Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
                                  • Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                  • Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9
                                  Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 004441B8
                                  • MessageBoxW.USER32(?,?,?,?), ref: 004441F6
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
                                  • CloseHandle.KERNEL32(00000000), ref: 00444213
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 2880819207-0
                                  • Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                  • Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
                                  • Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                  • Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6
                                  Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00434037
                                  • ScreenToClient.USER32(?,?), ref: 0043405B
                                  • ScreenToClient.USER32(?,?), ref: 00434085
                                  • InvalidateRect.USER32(?,?,?), ref: 004340A4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ClientRectScreen$InvalidateWindow
                                  • String ID:
                                  • API String ID: 357397906-0
                                  • Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                  • Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
                                  • Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                  • Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2
                                  Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  • __wsplitpath.LIBCMT ref: 00436A45
                                    • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                  • __wsplitpath.LIBCMT ref: 00436A6C
                                  • __wcsicoll.LIBCMT ref: 00436A93
                                  • __wcsicoll.LIBCMT ref: 00436AB0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                  • String ID:
                                  • API String ID: 1187119602-0
                                  • Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                  • Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
                                  • Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                  • Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6
                                  Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _wcslen$_malloc_wcscat_wcscpy
                                  • String ID:
                                  • API String ID: 1597257046-0
                                  • Opcode ID: ef4c8eb1668fb764ac9879486c39433899b48e1b70f0ed706df85b8b39ec7f0c
                                  • Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
                                  • Opcode Fuzzy Hash: ef4c8eb1668fb764ac9879486c39433899b48e1b70f0ed706df85b8b39ec7f0c
                                  • Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764
                                  Function 00455505 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
                                  • DeleteObject.GDI32(?), ref: 0045564E
                                  • DeleteObject.GDI32(?), ref: 0045565C
                                  • DestroyCursor.USER32(?), ref: 0045566A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: DeleteObject$CursorDestroyMessageSend
                                  • String ID:
                                  • API String ID: 2743624342-0
                                  • Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                  • Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
                                  • Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                  • Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68
                                  Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlEnterCriticalSection.NTDLL(?), ref: 0044B60B
                                  • InterlockedExchange.KERNEL32(?,?), ref: 0044B619
                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 0044B630
                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 0044B641
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                  • String ID:
                                  • API String ID: 2223660684-0
                                  • Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                  • Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
                                  • Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                  • Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75
                                  Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                    • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                    • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                    • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                    • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                  • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
                                  • LineTo.GDI32(?,00000000,00000002), ref: 004472A0
                                  • EndPath.GDI32(?), ref: 004472B0
                                  • StrokePath.GDI32(?), ref: 004472BE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                  • String ID:
                                  • API String ID: 2783949968-0
                                  • Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                  • Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
                                  • Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                  • Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA
                                  Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00417D1A
                                    • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                    • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                  • __getptd.LIBCMT ref: 00417D31
                                  • __amsg_exit.LIBCMT ref: 00417D3F
                                  • __lock.LIBCMT ref: 00417D4F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                  • String ID:
                                  • API String ID: 3521780317-0
                                  • Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                  • Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
                                  • Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                  • Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E
                                  Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                  • GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                  • GetCurrentThreadId.KERNEL32 ref: 004389DA
                                  • AttachThreadInput.USER32(00000000), ref: 004389E1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                  • String ID:
                                  • API String ID: 2710830443-0
                                  • Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                  • Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
                                  • Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                  • Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E
                                  Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: BuffCharLower
                                  • String ID: $8'I
                                  • API String ID: 2358735015-3608026889
                                  • Opcode ID: e3039598ad07eb1683e22d1e13845cc1c6bfaba1fe80df618d976ecbdfba683b
                                  • Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
                                  • Opcode Fuzzy Hash: e3039598ad07eb1683e22d1e13845cc1c6bfaba1fe80df618d976ecbdfba683b
                                  • Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B
                                  Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A
                                    • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                    • Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593
                                    • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                    • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                    • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                    • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CopyVariant$ContainedObject$ErrorLast_malloc
                                  • String ID: AutoIt3GUI$Container
                                  • API String ID: 3380330463-3941886329
                                  • Opcode ID: a9ff7069b9b8d6ccd49eba872ad7efd2467de888f1098c4430e935d21ee713db
                                  • Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
                                  • Opcode Fuzzy Hash: a9ff7069b9b8d6ccd49eba872ad7efd2467de888f1098c4430e935d21ee713db
                                  • Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55
                                  Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00409A61
                                    • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                    • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                    • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                    • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                  • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                  • String ID: F
                                  • API String ID: 1143807570-3850746006
                                  • Opcode ID: 06636c051a656e0db8e48e9a81f0f7daa77b956eb8708b24b717754a54bb628e
                                  • Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
                                  • Opcode Fuzzy Hash: 06636c051a656e0db8e48e9a81f0f7daa77b956eb8708b24b717754a54bb628e
                                  • Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96
                                  Function 004667A7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170shareCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                    • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                  • __wcsnicmp.LIBCMT ref: 0046681A
                                  • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                  • String ID: LPT
                                  • API String ID: 3035604524-1350329615
                                  • Opcode ID: 2945cb5b31277d8c8021d55f3d7ec86f9f5d8a101f6134c00f702d091f19bef7
                                  • Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
                                  • Opcode Fuzzy Hash: 2945cb5b31277d8c8021d55f3d7ec86f9f5d8a101f6134c00f702d091f19bef7
                                  • Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A
                                  Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: InfoItemMenu_memset
                                  • String ID: 0
                                  • API String ID: 2223754486-4108050209
                                  • Opcode ID: 38f09aa922346eb88559bb972c0ed36bedb4057ad35cf6b519ccfeef0a85981d
                                  • Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
                                  • Opcode Fuzzy Hash: 38f09aa922346eb88559bb972c0ed36bedb4057ad35cf6b519ccfeef0a85981d
                                  • Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A
                                  Function 00448358 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: '
                                  • API String ID: 3850602802-1997036262
                                  • Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                  • Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
                                  • Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                  • Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A
                                  Function 00450C09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: msctls_updown32
                                  • API String ID: 0-2298589950
                                  • Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                  • Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
                                  • Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                  • Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A
                                  Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                  • Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
                                  • Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                  • Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA
                                  Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
                                  • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: Combobox
                                  • API String ID: 3850602802-2096851135
                                  • Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                  • Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
                                  • Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                  • Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768
                                  Function 004515AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowTextLengthW.USER32(00000000), ref: 004515DA
                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: LengthMessageSendTextWindow
                                  • String ID: edit
                                  • API String ID: 2978978980-2167791130
                                  • Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                  • Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
                                  • Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                  • Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729
                                  Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000), ref: 00474833
                                  • GlobalMemoryStatusEx.KERNEL32 ref: 00474846
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: GlobalMemorySleepStatus
                                  • String ID: @
                                  • API String ID: 2783356886-2766056989
                                  • Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                  • Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
                                  • Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                  • Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F
                                  Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: htonsinet_addr
                                  • String ID: 255.255.255.255
                                  • API String ID: 3832099526-2422070025
                                  • Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                  • Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
                                  • Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                  • Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E
                                  Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 455545452-1403004172
                                  • Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                  • Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
                                  • Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                  • Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A
                                  Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: InternetOpen
                                  • String ID: <local>
                                  • API String ID: 2038078732-4266983199
                                  • Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                  • Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
                                  • Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                  • Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766
                                  Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 455545452-1403004172
                                  • Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                  • Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
                                  • Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                  • Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA
                                  Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                  • SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 455545452-1403004172
                                  • Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                  • Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
                                  • Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                  • Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA
                                  Function 00461774 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _strncmp
                                  • String ID: ,$UTF8)
                                  • API String ID: 909875538-2632631837
                                  • Opcode ID: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                  • Instruction ID: 35c0b5e4e6bd282640ba12729024cfd3588da47ca1ed1c49f01331a057b7ec9b
                                  • Opcode Fuzzy Hash: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                  • Instruction Fuzzy Hash: 7601B575A083805BE720DE20CC85BA773A1AB81319F58492ED8D5872A1F73DD449C75B
                                  Function 00461772 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: _strncmp
                                  • String ID: ,$UTF8)
                                  • API String ID: 909875538-2632631837
                                  • Opcode ID: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                  • Instruction ID: b3c6803870d1b21283bf32431af321d4190ac902c568a1d8b2e557ddf245ca97
                                  • Opcode Fuzzy Hash: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                  • Instruction Fuzzy Hash: 1E01D875A043805BE720DE20CC85B6773A19B4131AF68492FD8D6872A1F73DD449C75B
                                  Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA
                                    • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                  • wsprintfW.USER32 ref: 004560E9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: MessageSend_mallocwsprintf
                                  • String ID: %d/%02d/%02d
                                  • API String ID: 1262938277-328681919
                                  • Opcode ID: dc5fd9a877cd0fc352ed6de9b5f97ee6fb2dcbb154e3a48ad4a1e49fbb654ae8
                                  • Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
                                  • Opcode Fuzzy Hash: dc5fd9a877cd0fc352ed6de9b5f97ee6fb2dcbb154e3a48ad4a1e49fbb654ae8
                                  • Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA
                                  Function 0044379C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(00000014,00000FA0,?,00443813,00000000,?,?,?,?), ref: 004437C5
                                    • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,75572EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                    • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                    • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                  • InterlockedExchange.KERNEL32(00000034,000001F4), ref: 004437EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: CurrentProcess$CountCriticalDuplicateExchangeHandleInitializeInterlockedSectionSpin
                                  • String ID: 8E
                                  • API String ID: 3923574768-1085311475
                                  • Opcode ID: 36240ab7c0022e2826da7c31d01ddfc35fd25910729351edd7bcc97cd14444cd
                                  • Instruction ID: bb040560f7d3c865a2ce589922e7051d7770a8f6cdeed20eb1dfb0fe2d0285bd
                                  • Opcode Fuzzy Hash: 36240ab7c0022e2826da7c31d01ddfc35fd25910729351edd7bcc97cd14444cd
                                  • Instruction Fuzzy Hash: 15F0F8B1104B019FD360DF54D949B87B7E8AB48714F40892DE59A87A90E7B4F4488B62
                                  Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F
                                    • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: FindMessagePostSleepWindow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 529655941-2988720461
                                  • Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                  • Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
                                  • Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                  • Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358
                                  Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
                                  • PostMessageW.USER32(00000000), ref: 00442247
                                    • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: FindMessagePostSleepWindow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 529655941-2988720461
                                  • Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                  • Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
                                  • Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                  • Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358
                                  Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522
                                    • Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1427645459.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1427633202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427645459.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427747198.00000000004CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1427759594.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4LbgdNQgna.jbxd
                                  Similarity
                                  • API ID: Message_doexit
                                  • String ID: AutoIt$Error allocating memory.
                                  • API String ID: 1993061046-4017498283
                                  • Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                  • Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
                                  • Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                  • Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E